Acrolinx score enhancement

windows/client-management/mdm/appv-deploy-and-config.md

@@ -23,7 +23,7 @@ manager: dansimp
 
 [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
 
-The following shows the EnterpriseAppVManagement configuration service provider in tree format.
+The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
 
 ```console
 ./Vendor/MSFT
@@ -54,7 +54,7 @@ EnterpriseAppVManagement
 ------------Policy
 ```
 
-<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
+<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.</p>
 
 <p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
 
@@ -144,7 +144,7 @@ EnterpriseAppVManagement
 
 #### Configure App-V client
 
-<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish).  Allowing package scripts assists in package deployments (add and publish of App-V apps).</p>
+<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).</p>
 
 ```xml
 <Replace> 

windows/client-management/mdm/assignedaccess-csp.md

@@ -14,7 +14,7 @@ ms.date: 09/18/2018
 
 # AssignedAccess CSP
 
-The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
 
 For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
 
@@ -29,7 +29,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
 > [!Note]
 > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
 
-The following shows the AssignedAccess configuration service provider in tree format
+The following example shows the AssignedAccess configuration service provider in tree format
 
 ```
 ./Vendor/MSFT
@@ -54,7 +54,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
 > Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
 
 > [!Note]
-> You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
+> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
 
 Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
 
@@ -69,7 +69,7 @@ Here's an example:
 > 
 > This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. 
 
-When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
+When the kiosk mode app is being configured, the account name will be used to find the target user. The account name includes domain name and user name.
 
 > [!Note]
 > The domain name can be optional if the user name is unique across the system.
@@ -80,7 +80,7 @@ For a local account, the domain name should be the device name. When Get is exec
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
 
 <a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
 
 > [!Note]
 > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
@@ -91,18 +91,18 @@ Enterprises can use this to easily configure and manage the curated lockdown exp
 
 Supported operations are Add, Get, Delete, and Replace.
 
-Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
+Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies back (for example, Start Layout).
 
 <a href="" id="assignedaccess-status"></a>**./Device/Vendor/MSFT/AssignedAccess/Status**
 Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
 
-In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
+In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible statuses available for single app kiosk mode.
 
 |Status  |Description  |
 |---------|---------|---------|
-| KioskModeAppRunning | This means the kiosk app is running normally. |
+| KioskModeAppRunning | This status means the kiosk app is running normally. |
-| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
+| KioskModeAppNotFound | This state occurs when the kiosk app isn't deployed to the machine. |
-| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
+| KioskModeAppActivationFailure | This state occurs when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
 
 > [!NOTE]
 > Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
@@ -145,7 +145,7 @@ Supported operation is Get.
 Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
 
 > [!Note]
-> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
+> You can't set both ShellLauncher and KioskModeApp at the same time on the device.
 >
 > Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
 >
@@ -154,9 +154,9 @@ Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration
 <a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
 Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
 
-By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
+By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
 
-Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
+Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
 
 This MDM alert header is defined as follows:
 
@@ -431,7 +431,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
 </xs:schema>
 ```
 
-Here is the schema for new features introduced in Windows 10 1809 release
+Here's the schema for new features introduced in Windows 10 1809 release
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema
@@ -506,7 +506,7 @@ Schema for Windows 10 prerelease
 </xs:schema>
 ```
 
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
 ```xml
 <AssignedAccessConfiguration
     xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"

windows/client-management/mdm/azure-active-directory-integration-with-mdm.md

@@ -118,7 +118,7 @@ The MDM application uses keys to request access tokens from Azure AD. These keys
 
 Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
 
-1.  Log in to the Azure Management Portal using an admin account in your home tenant.
+1.  Log on to the Azure Management Portal using an admin account in your home tenant.
 
 2.  In the left navigation, select **Active Directory**.
 
@@ -134,7 +134,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
 
 7.  Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
 
-8.  Enter the login URL for your MDM service.
+8.  Enter the logon URL for your MDM service.
 
 9.  For the App ID, enter `https://<your_tenant_name>/ContosoMDM`, then select OK.
 
@@ -168,7 +168,7 @@ The application keys used by your MDM service are a sensitive resource. They sho
 
 For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715).
 
-You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
+You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
 
 For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
 
@@ -326,7 +326,7 @@ The following table shows the error codes.
 |Cause|HTTP status|Error|Description|
 |--- |--- |--- |--- |
 |api-version|302|invalid_request|unsupported version|
-|Tenant or user data are missing or other required prerequisites for device enrollment are not met|302|unauthorized_client|unauthorized user or tenant|
+|Tenant or user data are missing or other required prerequisites for device enrollment aren't met|302|unauthorized_client|unauthorized user or tenant|
 |Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
 |internal service error|302|server_error|internal service error|
 
@@ -358,7 +358,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
 
 <a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
-In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically MDM enrollment completes before Azure AD user sign in to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
+In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
 
 <a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
 In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
@@ -370,7 +370,7 @@ The Azure AD token is in the HTTP Authorization header in the following format:
 Authorization:Bearer <Azure AD User Token Inserted here>
 ```
 
-Additional claims may be present in the Azure AD token, such as:
+More claims may be present in the Azure AD token, such as:
 
 -   User - user currently logged in
 -   Device compliance - value set the MDM service into Azure
@@ -411,9 +411,9 @@ An alert is sent to the MDM server in DM package\#1.
 
 -   Alert type - com.microsoft/MDM/LoginStatus
 -   Alert format - chr
--   Alert data - provide login status information for the current active logged in user.
+-   Alert data - provide sign-in status information for the current active logged in user.
-    -   Logged in user who has an Azure AD account - predefined text: user.
+    -   Signed-in user who has an Azure AD account - predefined text: user.
-    -   Logged in user without an Azure AD account- predefined text: others.
+    -   Signed-in user without an Azure AD account- predefined text: others.
     -   No active user - predefined text:none
 
 Here's an example.
@@ -477,7 +477,7 @@ Response:
 
 ## Data loss during unenrollment from Azure Active Directory Join
 
-When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
+When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenrollment.](images/azure-ad-unenrollment.png)
 

windows/client-management/mdm/bitlocker-csp.md

@@ -14,19 +14,19 @@ ms.collection: highpri
 ---
 # BitLocker CSP
 
-The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
+The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
 
 > [!NOTE]
-> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
+> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
 > 
 > You must send all the settings together in a single SyncML to be effective.
 
 A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns
 the setting configured by the admin.
 
-For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
+For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
 
-The following shows the BitLocker configuration service provider in tree format.
+The following example shows the BitLocker configuration service provider in tree format.
 
 ```console
 ./Device/Vendor/MSFT
@@ -84,7 +84,7 @@ Supported operations are Add, Get, Replace, and Delete.
 
 Status of OS volumes and encryptable fixed data volumes are checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
 
-Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet additional criteria to be considered encryptable:
+Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet other criteria to be considered encryptable:
 
 - It must not be a dynamic volume.
 - It must not be a recovery partition.
@@ -95,8 +95,8 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
 <!--SupportedValues-->
 The following list shows the supported values:
 
--   0 (default) —Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
+-   0 (default)—Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes.
--   1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).  
+-   1–Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).  
 <!--/SupportedValues-->
 If you want to disable this policy, use the following SyncML:
 
@@ -154,9 +154,9 @@ ADMX Info:
 
 This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
 
-If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.
+If you enable this setting you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511.
 
-If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
+If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
 
  Sample value for this node to enable this policy and set the encryption methods is:
 
@@ -178,7 +178,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
 > [!NOTE]
 > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.  
 
-  If you want to disable this policy use the following SyncML: 
+  If you want to disable this policy, use the following SyncML: 
 
 ```xml
 <Replace>
@@ -228,11 +228,11 @@ ADMX Info:
 
 This setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
 
-Identifiers are usually stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
+Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
 
 - **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
 
-- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations.
+- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations.
 
 >[!Note]
 >When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
@@ -245,12 +245,12 @@ Sample value for this node to enable this policy is:
 <enabled/><data id="IdentificationField" value="BitLocker-ID1"/><data id="SecIdentificationField" value="Allowed-BitLocker-ID2"/>
 ```
 
-Data Id:
+Data ID:
 
 - IdentificationField: BitLocker identification field
 - SecIdentificationField: Allowed BitLocker identification field
 
-If you disable or do not configure this setting, the identification field is not required.
+If you disable or don't configure this setting, the identification field isn't required.
 
 >[!Note]
 >Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
@@ -286,7 +286,7 @@ ADMX Info:
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
-This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
+This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
 
 If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
 
@@ -331,9 +331,9 @@ ADMX Info:
 This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
 
 >[!Note]
->Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+>Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
 
-If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.
+If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.
 
 Sample value for this node to enable this policy is:
 
@@ -341,7 +341,7 @@ Sample value for this node to enable this policy is:
 <enabled/>
 ```
 
-If you disable or do not configure this policy setting, enhanced PINs will not be used.
+If you disable or don't configure this policy setting, enhanced PINs won't be used.
 <!--/Policy-->
 
 <!--Policy-->
@@ -378,9 +378,9 @@ This policy setting allows you to configure whether or not standard users are al
 >[!Note]
 >To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
 
-If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords.
 
-If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
+If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
 
 Sample value for this node to disable this policy is:
 
@@ -418,9 +418,9 @@ ADMX Info:
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
-The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
+The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
 
-It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
+It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
 
 Sample value for this node to enable this policy is:
 
@@ -429,10 +429,10 @@ Sample value for this node to enable this policy is:
 ```
 
 If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
-When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
 
 >[!Note]
->If you do not enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
+>If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
 >
 >- Configure TPM startup PIN: Required and Allowed
 >- Configure TPM startup key and PIN: Required and Allowed
@@ -471,7 +471,7 @@ ADMX Info:
 
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
 
 Sample value for this node to enable this policy is:
 
@@ -483,7 +483,7 @@ If this policy is disabled, the BitLocker Setup Wizard asks the user to select t
 
 >[!Note]
 >This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. 
->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
+>For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
@@ -507,7 +507,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
-<li>GP Friendly name: <em>Require additional authentication at startup</em></li>
+<li>GP Friendly name: <em>Require more authentication at startup</em></li>
 <li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
 <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@@ -517,12 +517,12 @@ ADMX Info:
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
-This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
+This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
 
 > [!NOTE]
 > Only one of the additional authentication options can be required at startup, otherwise an error occurs.
 
-If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When a startup key is being used, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you've forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
 
 On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
 
@@ -531,21 +531,21 @@ On a computer with a compatible TPM, four types of authentication methods can be
 
 If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
 
-If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.
+If you disable or don't configure this setting, users can configure only basic options on computers with a TPM.
 
 > [!NOTE]
 > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
 
 > [!NOTE] 
 > Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern 
-> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
+> Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
 
 Sample value for this node to enable this policy is:
 
 ```xml
 <enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
 ```
-Data id:
+Data ID:
 <ul>
 <li>ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
 <li>ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
@@ -567,7 +567,7 @@ The possible values for 'yy' are:
 <li>0 = Disallowed</li>
 </ul>
 <!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -614,16 +614,16 @@ ADMX Info:
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
-This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
+This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits.
 
 > [!NOTE]
 > In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. 
 >
->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
+>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2.
 
 If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.
 
-If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
+If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
 
 Sample value for this node to enable this policy is:
 
@@ -631,7 +631,7 @@ Sample value for this node to enable this policy is:
 <enabled/><data id="MinPINLength" value="xx"/>
 ```
 
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -683,7 +683,7 @@ ADMX Info:
 This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.
 
 
-If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
+If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
 
 If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
 
@@ -707,7 +707,7 @@ The possible values for 'xx' are:
 > [!NOTE]
 > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
 
-Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy, use the following SyncML:
 
 ```xml
 <Replace>
@@ -725,7 +725,7 @@ Disabling the policy will let the system choose the default behaviors.  If you w
 ```
 
 > [!NOTE]
-> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
 
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
@@ -760,22 +760,22 @@ ADMX Info:
 
 This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
 
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet.
 
 In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 
-Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
 
 Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
 
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 > [!NOTE]
-> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
+> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
 
 If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
 
-If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
 
 Sample value for this node to enable this policy is:
 
@@ -796,7 +796,7 @@ The possible values for 'zz' are:
 - 2 = Store recovery passwords only
 - 1 = Store recovery passwords and key packages
 <!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -846,24 +846,24 @@ ADMX Info:
 
 This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
 
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet.
 
 In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 
-Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
 
 Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
 
-Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
 
 > [!NOTE]
-> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
+> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
 
 If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
 
-If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
 
 Sample value for this node to enable this policy is:
 
@@ -891,7 +891,7 @@ The possible values for 'zz' are:
 <li>1 = Store recovery passwords and key packages</li>
 </ul>
 <!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -941,7 +941,7 @@ ADMX Info:
 
 This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
 
-If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
 
 Sample value for this node to enable this policy is:
 
@@ -949,7 +949,7 @@ Sample value for this node to enable this policy is:
 <enabled/>
 ```
 
-If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
+If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -1001,7 +1001,7 @@ This policy setting is applied when you turn on BitLocker and controls whether f
 
 Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.
 
 Sample value for this node to enable this policy is:
 
@@ -1012,8 +1012,8 @@ Sample value for this node to enable this policy is:
 If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
 
 >[!Note]
->This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. 
+>This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. 
->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
+>For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
@@ -1049,11 +1049,11 @@ ADMX Info:
 
 This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
 
-If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
 
-If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
+If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
 
-If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
 
 > [!NOTE]
 > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
@@ -1070,7 +1070,7 @@ The possible values for 'xx' are:
 <li>false = Policy not set</li>
 </ul>
 <!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -1120,7 +1120,7 @@ This policy controls whether removed data drives utilize Full encryption or Used
 
 Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
 
 Sample value for this node to enable this policy is:
 
@@ -1166,7 +1166,7 @@ For information about suspending BitLocker protection, see [BitLocker Basic Depl
 
 The options for choosing property settings that control how users can configure BitLocker are:
 
-- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on a removable data drives.
+- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on a removable data drive.
 - **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
 
 If you enable this policy setting, you can select property settings that control how users can configure BitLocker.
@@ -1176,13 +1176,13 @@ Sample value for this node to enable this policy is:
 ```xml
 <enabled/><data id="RDVAllowBDE_Name" value="true"/><data id="RDVDisableBDE_Name" value="true"/>
 ```
-Data id:
+Data ID:
 - RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
 - RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
 
-If this policy is disabled,users cannot use BitLocker on removable disk drives.
+If this policy is disabled, users can't use BitLocker on removable disk drives.
 
-If you do not configure this policy setting, users can use BitLocker on removable disk drives.
+If you don't configure this policy setting, users can use BitLocker on removable disk drives.
 
 <!--/Policy-->
 <!--Policy-->
@@ -1247,7 +1247,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
 
 "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, silent encryption is enforced.
 
-If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
+If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system.
 <!--SupportedSKUs-->
 
 |Edition|Windows 10|Windows 11|
@@ -1263,9 +1263,9 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe
 The expected values for this policy are:
 
 - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
-- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
+- 0 = This value is the default value, when the policy isn't set. If current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
 <!--/SupportedValues-->
-If you want to disable this policy use the following SyncML:
+If you want to disable this policy, use the following SyncML:
 
 ```xml
  <Replace>
@@ -1322,16 +1322,16 @@ Supported values are:
 
 <!--Description-->
 
-This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
+This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate.
 <!--/Description-->
 
 The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.  
 
-Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request. 
+Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request. 
 
 Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh. 
 
-Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cannot refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. 
+Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. 
 
 Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
 - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
@@ -1387,26 +1387,26 @@ Value type is int. Supported operation is Get.
 
 Supported values:  
 - 0 - Indicates that the device is compliant.
-- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
+- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
 
 | Bit | Error Code |
 |-----|------------|
 | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.|
-| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.|
+| 1 |The encryption method of the OS volume does not match the BitLocker policy.|
 | 2 |The OS volume is unprotected.|
-| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.|
+| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection is not used.|
-| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.|
+| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector is not used.|
-| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.|
+| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector is not used.|
-| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.|
+| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector is not used.|
-| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.|
+| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM is not used.|
 | 8 |Recovery key backup failed.|
 | 9 |A fixed drive is unprotected.|
-| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
+| 10 |The encryption method of the fixed drive does not match the BitLocker policy.|
 | 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
-| 12 |Windows Recovery Environment (WinRE) isn't configured.|
+| 12 |Windows Recovery Environment (WinRE) is not configured.|
-| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
+| 13 |A TPM is not available for BitLocker, either because it is not present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
-| 14 |The TPM isn't ready for BitLocker.|
+| 14 |The TPM is not ready for BitLocker.|
-| 15 |The network isn't available, which is required for recovery key backup. |
+| 15 |The network is not available, which is required for recovery key backup. |
 | 16-31 |For future use.|
 
 <!--/SupportedValues-->
@@ -1421,7 +1421,7 @@ Supported values:
 This node reports the status of RotateRecoveryPasswords request. 
 <!--/Description-->
 
-Status code can be one of the following:  
+Status code can be one of the following values:  
 
 - 2 – Not started
 - 1 - Pending
@@ -1467,7 +1467,7 @@ Value type is string. Supported operation is Get.
 
 ### SyncML example
 
-The following example is provided to show proper format and should not be taken as a recommendation.
+The following example is provided to show proper format and shouldn't be taken as a recommendation.
 
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">

windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md

@@ -1,6 +1,6 @@
 ---
 title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
 MS-HAID: 
   - 'p\_phdevicemgmt.bulk\_enrollment'
   - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@@ -18,7 +18,7 @@ ms.date: 06/26/2017
 
 # Bulk enrollment
 
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
 
 ## Typical use cases
 
@@ -28,7 +28,7 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma
 -   Set up industrial machinery.
 -   Set handheld POS devices.
 
-On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain.
+On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
 
 On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
 
@@ -63,21 +63,21 @@ Using the WCD, create a provisioning package using the enrollment information re
 5. Skip **Import a provisioning package (optional)** and click **Finish**.
 6. Expand **Runtime settings** > **Workplace**.
 7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
-   The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
+   The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
 8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
-   Here is the list of available settings:
+   Here's the list of available settings:
    -   **AuthPolicy** - Select **OnPremise**.
    -   **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
    -   **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
    -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
    -   **Secret** - Password
    For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
-   Here is the screenshot of the WCD at this point.
+   Here's the screenshot of the WCD at this point.
    
     ![bulk enrollment screenshot.](images/bulk-enrollment.png)
-9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-10. When you are done adding all the settings, on the **File** menu, click **Save**.
+10. When you're done adding all the settings, on the **File** menu, click **Save**.
-11. On the main menu click **Export** > **Provisioning package**.
+11. On the main menu, click **Export** > **Provisioning package**.
 
     ![icd menu for export.](images/bulk-enrollment2.png)
 12. Enter the values for your package and specify the package output location.
@@ -112,17 +112,17 @@ Using the WCD, create a provisioning package using the enrollment information re
 7. Specify the workplace settings.
    1. Got to **Workplace** > **Enrollments**.
    2. Enter the **UPN** for the enrollment and then click **Add**.
-      The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
+      The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
    3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
-      Here is the list of available settings:
+      Here's the list of available settings:
       -   **AuthPolicy** - Select **Certificate**.
       -   **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
       -   **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
       -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
       -   **Secret** - the certificate thumbprint.
       For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
-8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-9. When you are done adding all the settings, on the **File** menu, click **Save**.
+9. When you're done adding all the settings, on the **File** menu, click **Save**.
 10. Export and build the package (steps 10-13 in the procedure above).
 11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
 12. Apply the package to your devices.
@@ -145,17 +145,17 @@ Here's the list of topics about applying a provisioning package:
 
 1.  Go to **Settings** > **Accounts** > **Access work or school**.
 2.  Click **Add or remove a provisioning package**.
-    You should see the your package listed.
+    You should see your package listed.
 
 ## Retry logic in case of a failure
 
-If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row.
+If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
 
-If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context.
+If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context.
 
-It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well.
+It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
 
-In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
+In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
 
 ## Other provisioning topics
 

windows/client-management/mdm/cellularsettings-csp.md

@@ -19,7 +19,7 @@ The CellularSettings configuration service provider is used to configure cellula
 > [!Note]
 > Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
 
-The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
+The following example shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
 
 ```console
 ./Vendor/MSFT

windows/client-management/mdm/certificatestore-csp.md

@@ -1,6 +1,6 @@
 ---
 title: CertificateStore CSP
-description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
+description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
 ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
 ms.reviewer: 
 manager: dansimp
@@ -23,9 +23,9 @@ The CertificateStore configuration service provider is used to add secure socket
 
  
 
-For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
+For the CertificateStore CSP, you can't use the Replace command unless the node already exists.
 
-The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
 
 ```
 ./Vendor/MSFT
@@ -127,7 +127,7 @@ Supported operation is Get.
  
 
 <a href="" id="my-user"></a>**My/User**  
-Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
+Defines the certificate store that contains public keys for client certificates. This certificate store is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
 
 Supported operation is Get.
 
@@ -137,7 +137,7 @@ Supported operation is Get.
  
 
 <a href="" id="my-system"></a>**My/System**  
-Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
+Defines the certificate store that contains public key for client certificate. This certificate store is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
 
 Supported operation is Get.
 
@@ -152,27 +152,27 @@ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certifi
 Supported operations are Get, Delete, and Replace.
 
 <a href="" id="certhash-encodedcertificate"></a>***CertHash*/EncodedCertificate**  
-Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc.
 
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="certhash-issuedby"></a>***CertHash*/IssuedBy**  
-Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure.
+Required. Returns the name of the certificate issuer. This name is equivalent to the *Issuer* member in the CERT\_INFO data structure.
 
 Supported operation is Get.
 
 <a href="" id="certhash-issuedto"></a>***CertHash*/IssuedTo**  
-Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure.
+Required. Returns the name of the certificate subject. This name is equivalent to the *Subject* member in the CERT\_INFO data structure.
 
 Supported operation is Get.
 
 <a href="" id="certhash-validfrom"></a>***CertHash*/ValidFrom**  
-Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure.
+Required. Returns the starting date of the certificate's validity. This date is equivalent to the *NotBefore* member in the CERT\_INFO structure.
 
 Supported operation is Get.
 
 <a href="" id="certhash-validto"></a>***CertHash*/ValidTo**  
-Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure.
+Required. Returns the expiration date of the certificate. This expiration date is equivalent to the *NotAfter* member in the CERT\_INFO structure.
 
 Supported operation is Get.
 
@@ -224,25 +224,25 @@ Required. Specifies the extended key usages and subject to SCEP server configura
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="my-scep-uniqueid-install-keyusage"></a>**My/SCEP/*UniqueID*/Install/KeyUsage**  
-Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer.
+Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. Value type is an integer.
 
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="my-scep-uniqueid-install-subjectname"></a>**My/SCEP/*UniqueID*/Install/SubjectName**  
 Required. Specifies the subject name. 
 
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”  ).
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
 
-For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
 
 Value type is chr.
 
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="my-scep-uniqueid-install-keyprotection"></a>**My/SCEP/*UniqueID*/Install/KeyProtection**  
-Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection.
+Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection.
 
-Supported values are one of the following:
+Supported values are one of the following values:
 
 -   1 – Private key is protected by device TPM.
 
@@ -260,12 +260,12 @@ Optional. Specifies the device retry waiting time in minutes when the SCEP serve
 Supported operations are Get, Add, and Delete.
 
 <a href="" id="my-scep-uniqueid-install-retrycount"></a>**My/SCEP/*UniqueID*/Install/RetryCount**  
-Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry.
+Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
 
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="my-scep-uniqueid-install-templatename"></a>**My/SCEP/*UniqueID*/Install/TemplateName**  
-Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr.
+Optional. OID of certificate template name. This name is typically ignored by the SCEP server; therefore, the MDM server typically doesn't need to provide it. Value type is chr.
 
 Supported operations are Get, Add, and Delete.
 
@@ -282,7 +282,7 @@ Value type is chr.
 Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="my-scep-uniqueid-install-cathumbprint"></a>**My/SCEP/*UniqueID*/Install/CAThumbprint**  
-Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr.
+Required. Specifies the root CA thumbprint. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. Value type is chr.
 
 Supported operations are Get, Add, Delete, and Replace.
 
@@ -296,7 +296,7 @@ Optional. Specifies the units for the valid period. Value type is chr.
 
 Supported operations are Get, Add, Delete, and Replace.
 
-Valid values are one of the following:
+Valid values are one of the following values:
 
 -   Days (default)
 -   Months
@@ -318,7 +318,7 @@ Supported operations are Get, Add, Delete, and Replace.
  
 
 <a href="" id="my-scep-uniqueid-install-enroll"></a>**My/SCEP/*UniqueID*/Install/Enroll**  
-Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value.
+Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
 
 Supported operation is Exec.
 
@@ -332,11 +332,11 @@ Required. Specifies the latest status for the certificate due to enrollment requ
 
 Supported operation is Get.
 
-Valid values are one of the following:
+Valid values are one of the following values:
 
 -   1 – Finished successfully.
 
--   2 – Pending. The device has not finished the action, but has received the SCEP server pending response.
+-   2 – Pending. The device hasn't finished the action, but has received the SCEP server pending response.
 
 -   16 - Action failed.
 
@@ -348,7 +348,7 @@ Optional. The integer value that indicates the HRESULT of the last enrollment er
 Supported operation is Get.
 
 <a href="" id="my-scep-uniqueid-certthumbprint"></a>**My/SCEP/*UniqueID*/CertThumbprint**  
-Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
+Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
 
 Supported operation is Get.
 
@@ -368,7 +368,7 @@ Optional. The parent node to group renewal related settings.
 Supported operation is Get.
 
 <a href="" id="my-wstep-renew-serverurl"></a>**My/WSTEP/Renew/ServerURL**  
-Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL.
+Optional. Specifies the URL of certificate renewal server. If this node doesn't exist, the client uses the initial certificate enrollment URL.
 
 > [!NOTE]
 > The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
@@ -378,7 +378,7 @@ Optional. Specifies the URL of certificate renewal server. If this node does not
 Supported operations are Add, Get, Delete, and Replace.
 
 <a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**  
-Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
 
 The default value is 42 and the valid values are 1 – 1000. Value type is an integer.
 
@@ -422,7 +422,7 @@ Required. Shows the latest action status for this certificate. Value type is an
 
 Supported operation is Get.
 
-Supported values are one of the following:
+Supported values are one of the following values:
 
 -   0 – Not started.