Merge branch 'main' into sheshachary-5859198-2

.openpublishing.redirection.json

@@ -19448,7 +19448,7 @@
     {
       "source_path": "windows/security/threat-protection/intelligence/supply-chain-malware.md",
       "redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware",
-      "redirect_document_id": true  
+      "redirect_document_id": false 
     },
     {
       "source_path": "windows/security/threat-protection/intelligence/support-scams.md",
@@ -19498,7 +19498,7 @@
     { 
      "source_path": "education/itadmins.yml",
      "redirect_url": "/education",
-     "redirect_document_id": true
+     "redirect_document_id": false
     },
     { 
      "source_path": "education/partners.yml",
@@ -19539,6 +19539,16 @@
       "source_path": "windows/client-management/mdm/messaging-csp.md",
       "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
       "redirect_document_id": false
+     },
+     { 
+      "source_path": "windows/client-management/mdm/policymanager-csp.md",
+      "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+      "redirect_document_id": false
+     }, 
+     { 
+      "source_path": "windows/client-management/mdm/proxy-csp.md",
+      "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+      "redirect_document_id": false
      }      
   ]
 }

education/windows/windows-11-se-overview.md

@@ -52,6 +52,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
 |DRC INSIGHT Online Assessments	        |12.0.0.0  |Store    |Data recognition Corporation|
 |Duo from Cisco	                        |2.25.0     |Win32    |Cisco|
 |e-Speaking Voice and Speech recognition	|4.4.0.8 |Win32   |e-speaking|
+|eTests                                 |4.0.25    |Win32   |CASAS|
 |FortiClient	                        |7.0.1.0083	|Win32    |Fortinet|
 |Free NaturalReader	                    |16.1.2	    |Win32    |Natural Soft|
 |GoGuardian	                            |1.4.4	   |Win32     |GoGuardian|

windows/client-management/mdm/cmpolicyenterprise-csp.md

@@ -14,6 +14,16 @@ ms.date: 06/26/2017
 
 # CMPolicyEnterprise CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|No|No|
+
 The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
 
 > [!NOTE]
@@ -21,9 +31,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise
 
 Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
 
+Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
+
+
 **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
 
-**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
+**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
 
 The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
 
@@ -72,7 +85,8 @@ Specifies whether the list of connections is in preference order.
 A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
 
 <a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>  
-Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
+
+Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
 
 <a href="" id="connectionid"></a>**ConnectionID**  
 Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@@ -90,7 +104,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th
 |Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
 |Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
 
- 
 
 For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
 
@@ -133,7 +146,6 @@ Specifies the type of connection being referenced. The following list describes
 
 ## OMA client provisioning examples
 
-
 Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
 
 ```xml
@@ -227,7 +239,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
 
 ## OMA DM examples
 
-
 Adding an application-based mapping policy:
 
 ```xml
@@ -364,7 +375,6 @@ Adding a host-based mapping policy:
 
 ## Microsoft Custom Elements
 
-
 |Element|Available|
 |--- |--- |
 |parm-query|Yes|
@@ -373,7 +383,6 @@ Adding a host-based mapping policy:
 
 ## Related topics
 
-
 [Configuration service provider reference](configuration-service-provider-reference.md)
 
  

windows/client-management/mdm/config-lock.md

@@ -77,7 +77,7 @@ Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally m
 ## FAQ
 
 **Can an IT admins disable Config Lock ?** </br>
-	Yes. IT admins can use MDM to turn off Config Lock.</br>
+	Yes. IT admins can use MDM to turn off Config Lock completely or put it in temporary unlock mode for helpdesk activities.</br>
 
 ### List of locked policies
 

windows/client-management/mdm/configuration-service-provider-reference.md

@@ -616,18 +616,6 @@ Additional lists:
 <!--EndSKU-->
 <!--EndCSP-->
 
-<!--StartCSP-->
-[Proxy CSP](proxy-csp.md)
-
-<!--StartSKU-->
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|Yes|Yes|Yes|Yes|Yes|
-
-<!--EndSKU-->
-<!--EndCSP-->
-
 <!--StartCSP-->
 [PXLogical CSP](pxlogical-csp.md)
 
@@ -676,18 +664,6 @@ Additional lists:
 <!--EndSKU-->
 <!--EndCSP-->
 
-<!--StartCSP-->
-[PolicyManager CSP](policymanager-csp.md)
-
-<!--StartSKU-->
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|No|No|No|No|No|
-
-<!--EndSKU-->
-<!--EndCSP-->
-
 <!--StartCSP-->
 [Provisioning CSP](provisioning-csp.md)
 
@@ -821,6 +797,15 @@ Additional lists:
 <!--EndCSP-->
 
 <!--StartCSP-->
+
+[SurfaceHub](surfacehub-csp.md)
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--EndCSP-->
+
+<!--StartCSP-->
+
 [TenantLockdown CSP](tenantlockdown-csp.md)
 
 <!--StartSKU-->
@@ -905,6 +890,16 @@ Additional lists:
 <!--EndCSP-->
 
 <!--StartCSP-->
+
+[W4 Application CSP](w4-application-csp.md)
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--EndCSP-->
+
+<!--StartCSP-->
+
+
 [WiFi CSP](wifi-csp.md)
 
 <!--StartSKU-->
@@ -989,6 +984,15 @@ Additional lists:
 <!--EndSKU-->
 <!--EndCSP-->
 
+
+<!--StartCSP-->
+[w7 Application CSP](w7-application-csp.md)
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--EndCSP-->
+
+
 <hr/>
 <!--EndCSPs-->
 

windows/client-management/mdm/customdeviceui-csp.md

@@ -42,7 +42,6 @@ Package Full Name of the application that needs to be launched in the background
 
 ## SyncML examples
 
-
 **Set StartupAppID**
 
 ```xml

windows/client-management/mdm/defender-csp.md

@@ -15,6 +15,14 @@ ms.date: 02/22/2022
 
 # Defender CSP
 
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 
@@ -355,7 +363,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi
 
 <a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
 
-Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -365,7 +373,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
 
 <a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
 
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -375,7 +383,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
 
 <a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
 
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -385,7 +393,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k
 
 <a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
 
-Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -594,11 +602,13 @@ An interior node to group Windows Defender configuration information.
 Supported operation is Get.
 
 <a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**  
+
 Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
 
+
 Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
 
-The data type is a Signed blob.
+The data type is a Signed BLOB.
 
 Supported operations are Add, Delete, Get, Replace.
 
@@ -610,7 +620,7 @@ Intune tamper protection setting UX supports three states:
 When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
 
 <a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
 
 If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
 
@@ -630,6 +640,7 @@ Valid values are:
 - 0 (default) – Disable.
 
 <a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
+
 This policy setting controls whether or not exclusions are visible to Local Admins.  For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
 
 If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
@@ -639,22 +650,23 @@ If you enable this setting, Local Admins will no longer be able to see the exclu
 > [!NOTE]
 > Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
 
-Supported OS versions:  Windows 10
+Supported OS versions: Windows 10
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:  
 - 1 – Enable.
 - 0 (default) – Disable.
 
 <a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>	
+
 Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.	
 
 The data type is integer.	
 
-Supported operations are Add, Delete, Get, Replace.	
+Supported operations are Add, Delete, Get, and Replace.	
 
 Valid values are:	
 -	1 (default) – Enable.	
@@ -665,7 +677,7 @@ Allow managed devices to update through metered connections. Data charges may ap
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:
 - 1 – Enable.
@@ -676,7 +688,7 @@ This settings controls whether Network Protection is allowed to be configured in
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:
 - 1 – Enable.
@@ -687,7 +699,7 @@ Allows an administrator to explicitly disable network packet inspection made by
 
 The data type is string.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 <a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**  
 Enables or disables file hash computation feature.
@@ -695,7 +707,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:  
 - 1 – Enable.
@@ -706,7 +718,7 @@ The support log location setting allows the administrator to specify where the M
 
 Data type is string.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Intune Support log location setting UX supports three states:  
 
@@ -714,7 +726,7 @@ Intune Support log location setting UX supports three states:
 - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
 - 0 - Disabled. Turns off the Support log location feature. 
 
-When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
 
 More details:  
 
@@ -738,7 +750,7 @@ If you disable or don't configure this policy, the device will stay up to date a
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:
 - 0: Not configured (Default)
@@ -771,7 +783,7 @@ If you disable or don't configure this policy, the device will stay up to date a
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:
 - 0: Not configured (Default)
@@ -796,7 +808,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
 If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
 
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid Values are:
 - 0: Not configured (Default)
@@ -819,7 +831,7 @@ If you disable or don't configure this policy, the device will remain in Current
 
 The data type is integer.
 
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 
 Valid values are:
 - 1 – Enabled.

windows/client-management/mdm/devdetail-csp.md

@@ -14,6 +14,15 @@ ms.date: 03/27/2020
 
 # DevDetail CSP
 
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
 The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
 
 > [!NOTE]

windows/client-management/mdm/multisim-csp.md

@@ -13,6 +13,15 @@ manager: dansimp
 
 # MultiSIM CSP 
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
 

windows/client-management/mdm/nap-csp.md

@@ -14,6 +14,16 @@ ms.date: 06/26/2017
 
 # NAP CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections.
 
 > [!Note]
@@ -67,7 +77,7 @@ Root node.
 <a href="" id="napx"></a>***NAPX***  
 Required. Defines the name of the network access point.
 
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
+It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), however, no spaces may appear in the name (use %20 instead).
 
 <a href="" id="napx-napid"></a>***NAPX*/NAPID**  
 Required. Specifies the identifier of the destination network.
@@ -97,7 +107,7 @@ The following table shows some commonly used ADDRTYPE values and the types of co
 Optional node. Specifies the authentication information, including the protocol, user name, and password.
 
 <a href="" id="napx-authinfo-authtype"></a>***NAPX*/AuthInfo/AuthType**  
-Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, MD5.
+Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, and MD5.
 
 <a href="" id="napx-authinfo-authname"></a>***NAPX*/AuthInfo/AuthName**  
 Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*.
@@ -111,7 +121,8 @@ Queries of this field will return a string composed of 16 asterisks (\*).
 Node.
 
 <a href="" id="napx-bearer-bearertype"></a>***NAPX*/Bearer/BearerType**  
-Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
+
+Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, and Wi-Fi.
 
 ## Related articles
 

windows/client-management/mdm/napdef-csp.md

@@ -14,7 +14,17 @@ ms.date: 06/26/2017
 
 # NAPDEF CSP
 
-The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The NAPDEF configuration service provider is used to add, modify, or delete WAP Network Access Points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
 
 > [!Note]
 > You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
@@ -71,7 +81,7 @@ A query of this parameter returns asterisks (\*) in the results.
 <a href="" id="authtype"></a>**AUTHTYPE**  
 Specifies the protocol used to authenticate the user.
 
-The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
+The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols.
 
 > [!Note]
 > **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change. 

windows/client-management/mdm/networkproxy-csp.md

@@ -13,11 +13,21 @@ manager: dansimp
 
 # NetworkProxy CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
 
 How the settings work:  
 
-- If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.
+- If auto-detect is enabled, the system tries to find the path to a Proxy Auto Config (PAC) script and download it.
 - If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
 - If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
 - Otherwise, the system tries to reach the site directly.

windows/client-management/mdm/networkqospolicy-csp.md

@@ -13,6 +13,16 @@ manager: dansimp
 
 # NetworkQoSPolicy CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703.
 
 The following conditions are supported:
@@ -71,7 +81,7 @@ NetworkQoSPolicy
 <p>The supported operations are Add, Get, Delete, and Replace.
 
 <a href="" id="name-apppathnamematchcondition"></a>***Name*/AppPathNameMatchCondition**  
-<p>Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
+<p>Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.
 
 <p>The data type is char. 
 
@@ -111,7 +121,7 @@ NetworkQoSPolicy
 <p>The supported operations are Add, Get, Delete, and Replace.
 
 <a href="" id="name-dscpaction"></a>***Name*/DSCPAction**  
-<p>The differentiated services code point (DSCP) value to apply to matching network traffic.
+<p>The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.
 
 <p>Valid values are 0-63.
 

windows/client-management/mdm/nodecache-csp.md

@@ -14,6 +14,15 @@ ms.date: 06/26/2017
 
 # NodeCache CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes.
 
@@ -72,7 +81,7 @@ NodeCache
 Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
 
 <a href="" id="providerid"></a>***ProviderID***  
-Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.
+Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic.
 
 Supported operations are Get, Add, and Delete.
 
@@ -383,10 +392,11 @@ It represents this example:
     <Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node>
 </Nodes>
 ```
-Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking.
-If a Uri isn't set, the node will always be reported as changed, as in Node Id 10.
 
-The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
+Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking.
+If a Uri is not set, the node will always be reported as changed, as in Node ID 10.
+
+The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
 
 
 ## Related topics

windows/client-management/mdm/office-csp.md

@@ -13,6 +13,15 @@ manager: dansimp
 
 # Office CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365). 
 

windows/client-management/mdm/passportforwork-csp.md

@@ -14,7 +14,18 @@ ms.date: 07/19/2019
 
 # PassportForWork CSP
 
-The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+
 
 > [!IMPORTANT]
 > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.

windows/client-management/mdm/personalization-csp.md

@@ -13,6 +13,16 @@ manager: dansimp
 
 # Personalization CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
 
 This CSP was added in Windows 10, version 1703.

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -8361,6 +8361,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
   <dd>
     <a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
+  </dd>
   <dd>
     <a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
   </dd>

windows/client-management/mdm/policy-csp-accounts.md

@@ -31,6 +31,9 @@ manager: dansimp
   <dd>
     <a href="#accounts-allowmicrosoftaccountsigninassistant">Accounts/AllowMicrosoftAccountSignInAssistant</a>
   </dd>
+  <dd>
+    <a href="#accounts-domainnamesforemailsync">Accounts/DomainNamesForEmailSync</a>
+  </dd>
 </dl>
 
 
@@ -66,7 +69,7 @@ Specifies whether user is allowed to add non-MSA email accounts.
 Most restricted value is 0.
 
 > [!NOTE]
-> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
+> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. 
 
 <!--/Description-->
 <!--SupportedValues-->
@@ -168,9 +171,47 @@ The following list shows the supported values:
 <hr/>
 
 
+<!--Policy-->
+<a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+
+
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+<!--/Policies-->
 
 <!--/Policies-->
 
 ## Related topics
 
-[Policy CSP](policy-configuration-service-provider.md)
+[Policy CSP](policy-configuration-service-provider.md)
+

windows/client-management/mdm/policy-csp-fileexplorer.md

@@ -28,15 +28,129 @@ manager: dansimp
 ## FileExplorer policies  
 
 <dl>
+  <dd>
+    <a href="#fileexplorer-allowoptiontoshownetwork">FileExplorer/AllowOptionToShowNetwork</a>
+  </dd>
+  <dd>
+    <a href="#fileexplorer-allowoptiontoshowthispc">FileExplorer/AllowOptionToShowThisPC</a>
+  </dd>
   <dd>
     <a href="#fileexplorer-turnoffdataexecutionpreventionforexplorer">FileExplorer/TurnOffDataExecutionPreventionForExplorer</a>
   </dd>
   <dd>
     <a href="#fileexplorer-turnoffheapterminationoncorruption">FileExplorer/TurnOffHeapTerminationOnCorruption</a>
   </dd>
+  <dd>
+    <a href="#fileexplorer-setallowedfolderlocations">FileExplorer/SetAllowedFolderLocations</a>
+  </dd>
+  <dd>
+    <a href="#fileexplorer-setallowedstoragelocations">FileExplorer/SetAllowedStorageLocations</a>
+  </dd>
 </dl>
 
 
+<hr/>
+
+<!--Policy-->
+<a href="" id="fileexplorer-allowoptiontoshownetwork"></a>**FileExplorer/AllowOptionToShowNetwork**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+
+This policy allows the user with an option to show the network folder when restricted.
+
+<!--/Description-->
+
+<!--SupportedValues-->
+The following list shows the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+<!--/SupportedValues-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Allow the user the option to show Network folder when restricted*
+-   GP name: *AllowOptionToShowNetwork*
+-   GP path: *File Explorer*
+-   GP ADMX file name: *Explorer.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="fileexplorer-allowoptiontoshowthispc"></a>**FileExplorer/AllowOptionToShowThisPC**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+
+This policy allows the user with an option to show this PC location when restricted.
+
+<!--/Description-->
+
+<!--SupportedValues-->
+The following list shows the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+<!--/SupportedValues-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Allow the user the option to show Network folder when restricted*
+-   GP name: *AllowOptionToShowThisPC*
+-   GP path: *File Explorer*
+-   GP ADMX file name: *Explorer.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
 <hr/>
 
 <!--Policy-->
@@ -109,6 +223,8 @@ ADMX Info:
 <!--Description-->
 Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
 
+<!--/Description-->
+
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Turn off heap termination on corruption*
@@ -120,5 +236,114 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 
+<!--Policy-->
+<a href="" id="fileexplorer-setallowedfolderlocations"></a>**FileExplorer/SetAllowedFolderLocations**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+
+<!--Description-->
+
+This policy configures the folders that the user can enumerate and access in the File Explorer.
+
+<!--/Description-->
+
+<!--SupportedValues-->
+The following list shows the supported values:
+
+- 0: All folders
+- 15:Desktop, Documents, Pictures, and Downloads
+- 31:Desktop, Documents, Pictures, Downloads, and Network
+- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
+- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
+
+<!--/SupportedValues-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
+-   GP name: *SetAllowedFolderLocations*
+-   GP path: *File Explorer*
+-   GP ADMX file name: *Explorer.admx*
+
+<!--/ADMXBacked-->
+
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="fileexplorer-setallowedstoragelocations"></a>**FileExplorer/SetAllowedStorageLocations**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+
+<!--Description-->
+
+This policy configures the folders that the user can enumerate and access in the File Explorer.
+
+<!--/Description-->
+
+<!--SupportedValues-->
+The following list shows the supported values:
+
+- 0: all storage locations
+- 1: Removable Drives
+- 2: Sync roots
+- 3: Removable Drives, Sync roots, local drive
+
+<!--/SupportedValues-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
+-   GP name: *SetAllowedStorageLocations*
+-   GP path: *File Explorer*
+-   GP ADMX file name: *Explorer.admx*
+
+<!--/ADMXBacked-->
+
+<!--/Policy-->
+<hr/>
+
 <!--/Policies-->
 

windows/client-management/mdm/policy-csp-search.md

@@ -14,7 +14,6 @@ manager: dansimp
 
 # Policy CSP - Search
 
-
 <hr/>
 
 <!--Policies-->
@@ -57,6 +56,9 @@ manager: dansimp
   <dd>
     <a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
   </dd>
+  <dd>
+    <a href="#search-disablesearch">Search/DisableSearch</a>
+  </dd>
   <dd>
     <a href="#search-donotusewebresults">Search/DoNotUseWebResults</a>
   </dd>
@@ -629,6 +631,57 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="search-disablesearch"></a>**Search/DisableSearch**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
+
+It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+
+-   GP Friendly name: *Fully disable Search UI*
+-   GP name: *DisableSearch*
+-   GP path: *Windows Components/Search*
+-   GP ADMX file name: *Search.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) – Do not disable search.
+-   1 – Disable search.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="search-donotusewebresults"></a>**Search/DoNotUseWebResults**  
 
@@ -761,7 +814,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.
 
 <!--/Description-->
 <!--ADMXMapped-->

windows/client-management/mdm/policy-csp-update.md

@@ -415,7 +415,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
 
 Supported operations are Get and Replace.
 
-If the policy isn't configured, end-users get the default behavior (Auto install and restart).
+If the policy isn't configured, end-users get the default behavior (Auto download and install).
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -430,12 +430,13 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
-- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these options, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
+- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page.
-- 5 - Turn off automatic updates.
+- 5: Turn off automatic updates.
+- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured.
 
 > [!IMPORTANT]
 > This option should be used only for systems under regulatory compliance, as you won't get security updates as well.

windows/client-management/mdm/policymanager-csp.md

@@ -1,29 +0,0 @@
----
-title: PolicyManager CSP
-description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP.
-ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/28/2017
----
-
-# PolicyManager CSP
-
-PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
-
-<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile and Windows Phone 8.1
-
-> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices.
-
--->
-
-## Related articles
-
-[Policy CSP](policy-configuration-service-provider.md)
-
-[Configuration service provider reference](configuration-service-provider-reference.md)

windows/client-management/mdm/provisioning-csp.md

@@ -14,6 +14,15 @@ ms.date: 06/26/2017
 
 # Provisioning CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The Provisioning configuration service provider is used for bulk user enrollment to an MDM service.
 

windows/client-management/mdm/proxy-csp.md

@@ -1,127 +0,0 @@
----
-title: PROXY CSP
-description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections.
-ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/26/2017
----
-
-# PROXY CSP
-
-
-The PROXY configuration service provider is used to configure proxy connections.
-
-> [!NOTE]
-> Use [CM\_ProxyEntries CSP](cm-proxyentries-csp.md) instead of PROXY CSP, which will be deprecated in a future release.
-
-This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-For the PROXY CSP, you can't use the Replace command unless the node already exists.
-
-The following example shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
-
-```
-./Vendor/MSFT/Proxy
-----*
---------ProxyId
---------Name
---------AddrType
---------Addr
---------AddrFQDN
---------ConRefs
-------------*
-----------------ConRef
---------Domains
-------------*
-----------------DomainName
---------Ports
-------------*
-----------------PortNbr
-----------------Services
---------------------*
-------------------------ServiceName
---------ProxyType
---------ProxyParams
-------------WAP
-----------------Trust
-----------------PushEnabled
---------Ext
-------------Microsoft
-----------------Guid
-```
-
-<a href="" id="--vendor-msft-proxy"></a>**./Vendor/MSFT/Proxy**
-Root node for the proxy connection.
-
-<a href="" id="proxyname"></a>***ProxyName***
-Defines the name of a proxy connection.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
-
-The addition, update, and deletion of this subtree of nodes have to be specified in a single atomic transaction.
-
-<a href="" id="proxyname-proxyid"></a>***ProxyName*/PROXYID**
-Specifies the unique identifier of the proxy connection.
-
-<a href="" id="proxyname-name"></a>***ProxyName*/NAME**
-Specifies the user-friendly name of the proxy connection.
-
-<a href="" id="proxyname-addr"></a>***ProxyName*/ADDR**
-Specifies the address of the proxy server.
-
-This value may be the network name of the server, or any other string (such as an IP address) used to uniquely identify the proxy connection.
-
-<a href="" id="proxyname-addrtype"></a>***ProxyName*/ADDRTYPE**
-Specifies the type of address used to identify the proxy server.
-
-The valid values are IPV4, IPV6, E164, ALPHA.
-
-<a href="" id="proxyname-proxytype"></a>***ProxyName*/PROXYTYPE**
-Specifies the type of proxy connection.
-
-Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL.
-
-<a href="" id="proxyname-ports"></a>***ProxyName*/Ports**
-Node for port information.
-
-<a href="" id="proxyname-ports-portname"></a>***ProxyName*/Ports/_PortName_**
-Defines the name of a port.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names.
-
-<a href="" id="proxyname-ports-portname-portnbr"></a>***ProxyName*/Ports/*PortName*/PortNbr**
-Specifies the port number to be associated with the parent port.
-
-<a href="" id="proxyname-ports-portname-services"></a>***ProxyName*/Ports/*PortName*/Services**
-Node for services information.
-
-<a href="" id="proxyname-ports-services-servicename"></a>***ProxyName*/Ports/Services/_ServiceName_**
-Defines the name of a service.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names.
-
-<a href="" id="proxyname-ports-services-servicename-servicename"></a>***ProxyName*/Ports/Services/*ServiceName*/ServiceName**
-Specifies the protocol to be associated with the parent port.
-
-One commonly used value is "HTTP".
-
-<a href="" id="proxyname-conrefs"></a>***ProxyName*/ConRefs**
-Node for connection reference information
-
-<a href="" id="proxyname-conrefs-conrefname"></a>***ProxyName*/ConRefs/_ConRefName_**
-Defines the name of a connection reference.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names.
-
-<a href="" id="proxyname-conrefs-conrefname-conref"></a>***ProxyName*/ConRefs/*ConRefName*/ConRef**
-Specifies one single connectivity object associated with the proxy connection.
-
-## Related topics
-
-[Configuration service provider reference](configuration-service-provider-reference.md)

windows/client-management/mdm/pxlogical-csp.md

@@ -14,7 +14,6 @@ ms.date: 06/26/2017
 
 # PXLOGICAL configuration service provider
 
-
 The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
 
 > [!NOTE]

windows/client-management/mdm/supl-csp.md

@@ -16,6 +16,16 @@ ms.date: 09/12/2019
 
 The SUPL configuration service provider is used to configure the location client, as shown in the following:
 
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The SUPL configuration service provider is used to configure the location client, as shown in the following table:
+
 - **Location Service**: Connection type
   - **SUPL**: All connections other than CDMA
   - **V2 UPL**: CDMA
@@ -94,7 +104,7 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z
 <a href="" id="mccmncpairs"></a>**MCCMNCPairs**  
 Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL.
 
-This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC.
+This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC.
 
 For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
 
@@ -322,7 +332,7 @@ Adding new configuration information for an H-SLP server for SUPL. Values in ita
 </wap-provisioningdoc>
 ```
 
-Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
+Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value.
 
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@@ -353,7 +363,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be
 
 ## OMA DM examples
 
-
 Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
 
 ```xml
@@ -428,7 +437,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc
 
 ## Microsoft Custom Elements
 
-
 The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
 
 |Elements|Available|

windows/client-management/mdm/surfacehub-csp.md

@@ -14,7 +14,7 @@ ms.date: 07/28/2017
 
 # SurfaceHub CSP
 
-The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
+The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later.
 
 The following example shows the SurfaceHub CSP management objects in tree format.
 
@@ -240,7 +240,7 @@ If there's an error calling ValidateAndCommit, there's another context for that
 | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
 | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
 | 5 | Saving account information | Unable to save account details to the system. |
-| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
+| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. |
 
 It performs the following:
 - The data type is integer.
@@ -321,7 +321,7 @@ Invitations to collaborate from the Whiteboard app aren't allowed.
 
 <a href="" id="inboxapps-whiteboard-signindisabled"></a>**InBoxApps/Whiteboard/SigninDisabled**
 
-Sign-in from the Whiteboard app aren't allowed.
+Sign-ins from the Whiteboard app aren't allowed.
 
 - The data type is boolean. 
 - Supported operation is Get and Replace.

windows/client-management/mdm/toc.yml

@@ -828,12 +828,8 @@ items:
               href: policy-csp-windowssandbox.md
             - name: WirelessDisplay
               href: policy-csp-wirelessdisplay.md
-        - name: PolicyManager CSP
-          href: policymanager-csp.md
         - name: Provisioning CSP
           href: provisioning-csp.md
-        - name: PROXY CSP
-          href: proxy-csp.md
         - name: PXLOGICAL CSP
           href: pxlogical-csp.md
         - name: Reboot CSP

windows/client-management/mdm/tpmpolicy-csp.md

@@ -13,10 +13,19 @@ manager: dansimp
 
 # TPMPolicy CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
 
-The TPMPolicy CSP was added in Windows 10, version 1703.
+The TPMPolicy CSP was added in Windows 10, version 1703, and later.
 
 The following example shows the TPMPolicy configuration service provider in tree format.
 ```

windows/client-management/mdm/uefi-csp.md

@@ -13,8 +13,17 @@ manager: dansimp
 
 # UEFI CSP
 
+The table below shows the applicability of Windows:
 
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later.
 
 > [!NOTE]
 > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
@@ -51,7 +60,7 @@ Uefi
 ```
 The following list describes the characteristics and parameters.
 
-<a href="" id="uefi"></a>**./Vendor/MSFT/Uefi**  
+<a href="" id="uefi"></a>**./Vendor/MSFT/UEFI**  
 Root node.
 
 <a href="" id="deviceidentifier"></a>**DeviceIdentifier**  
@@ -80,7 +89,7 @@ Retrieves the binary result package of the previous Identity/Apply operation.
 Supported operation is Get.
 
 <a href="" id="permissions"></a>**Permissions**  
-Node for settings permission operations..
+Node for settings permission operations.
 
 <a href="" id="permissions-current"></a>**Permissions/Current**  
 Retrieves XML from UEFI that describes the current UEFI settings permissions.

windows/client-management/mdm/unifiedwritefilter-csp.md

@@ -14,6 +14,15 @@ ms.date: 06/26/2017
 
 # UnifiedWriteFilter CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
 
@@ -315,7 +324,6 @@ Supported operations are Get and Execute.
 
 ## Related topics
 
-
 [Configuration service provider reference](configuration-service-provider-reference.md)
 
  

windows/client-management/mdm/update-csp.md

@@ -14,6 +14,16 @@ ms.date: 02/23/2018
 
 # Update CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
 
 > [!NOTE]
@@ -62,7 +72,7 @@ The following example shows the Update configuration service provider in tree fo
 > [!NOTE]
 > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
 
-<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It&#39;s possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
+<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
 
 <p>The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
 

windows/client-management/mdm/vpnv2-csp.md

@@ -14,6 +14,15 @@ ms.date: 09/21/2021
 
 # VPNv2 CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
 
@@ -550,7 +559,7 @@ An optional flag to enable Always On mode. This flag will automatically connect
 
 Preserving user Always On preference
 
-Windows has a feature to preserve a user’s AlwaysOn preference.  If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
+Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
 Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
 Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
 Value: AutoTriggerDisabledProfilesList
@@ -696,7 +705,7 @@ Supported operations include Get, Add, Replace, and Delete.
 Reserved for future use.
 
 <a href="" id="vpnv2-profilename-nativeprofile"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile**  
-Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP).
+Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
 
 <a href="" id="vpnv2-profilename-nativeprofile-servers"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile/Servers**  
 Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. 

windows/client-management/mdm/w4-application-csp.md

@@ -14,6 +14,15 @@ ms.date: 06/26/2017
 
 # w4 APPLICATION CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
 
@@ -47,7 +56,7 @@ This parameter takes a string value. The possible values to configure the NAME p
 -   no value specified
 
 > [!NOTE]
-> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
+> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
 
 If no value is specified, the registry location will default to `<unnamed>`.
 

windows/client-management/mdm/w7-application-csp.md

@@ -14,11 +14,20 @@ ms.date: 06/26/2017
 
 # w7 APPLICATION CSP
 
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning.
 
-> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
+> [!Note]
-
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
 The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
 
@@ -51,11 +60,10 @@ APPLICATION
 ---SSLCLIENTCERTSEARCHCRITERIA
 ```
 
-> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
+> [!Note]
+> All parameter names and characteristic types are case sensitive and must use all uppercase.
 Both APPSRV and CLIENT credentials must be provided in provisioning XML.
 
- 
-
 <a href="" id="appaddr"></a>**APPADDR**  
 This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address.
 
@@ -99,9 +107,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o
 
 Valid values:
 
--   BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type.
+-   BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type.
 
--   DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type.
+-   DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type.
 
 -   When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST.
 
@@ -111,9 +119,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe
 <a href="" id="backcompatretrydisabled"></a>**BACKCOMPATRETRYDISABLED**  
 Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time).
 
-> **Note**   This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
+> [!Note]
-
+> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
- 
 
 <a href="" id="connretryfreq"></a>**CONNRETRYFREQ**  
 Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter.
@@ -130,11 +137,10 @@ The valid values are:
 <a href="" id="init"></a>**INIT**  
 Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present.
 
-> **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
+> [!Note]
+> This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
 This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready.
-
  
-
 <a href="" id="initialbackofftime"></a>**INITIALBACKOFFTIME**  
 Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter.
 
@@ -180,9 +186,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
 
 Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
 
-> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
+> [!Note]
-
+> `%EF%80%80` is the UTF8-encoded character U+F000.
- 
 
 Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax:
 
@@ -193,15 +198,4 @@ Subject specifies the certificate to search for. For example, to specify that yo
 
 ## Related topics
 
-
 [Configuration service provider reference](configuration-service-provider-reference.md)
-
- 
-
- 
-
-
-
-
-
-

windows/client-management/mdm/windowsautopilot-csp.md

@@ -9,7 +9,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 02/07/2022
+ms.date: 05/09/2022
 ---
 
 # WindowsAutopilot CSP

windows/security/identity-protection/access-control/special-identities.md

@@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
 
 | Attribute | Value |
 |  :--: | :--: | 
-| Well-Known SID/RID | |
+| Well-Known SID/RID | S-1-5-90 |
-|Object Class| |
+|Object Class|  Foreign Security Principal|
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege<br> [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege<br>|
 

windows/security/identity-protection/credential-guard/credential-guard-known-issues.md

@@ -59,6 +59,10 @@ The following known issues have been fixed by servicing releases made available
 
 ## Known issues involving third-party applications
 
+The following issue affects MSCHAPv2:
+
+- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
+
 The following issue affects the Java GSS API. See the following Oracle bug database article: 
 
 - [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -26,6 +26,7 @@ ms.custom:
 - Windows 11
 - Windows Server 2016
 - Windows Server 2019
+- Windows Server 2022
 
 
 ## Enable Windows Defender Credential Guard
@@ -204,9 +205,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
     
     - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
     
-      You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+  - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-      
-    - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.  
         
   - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
   

windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md

@@ -84,8 +84,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
 
 | Hex         | Cause   |
 |-------------|---------|
-| 0X80072F0C  | Unknown |
 | 0x80070057  | Invalid parameter or argument is passed. |
+| 0X80072F0C  | Unknown |
+| 0x80072F8F  | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
 | 0x80090010  | NTE_PERM |
 | 0x80090020  | NTE\_FAIL |
 | 0x80090027  | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
@@ -105,7 +106,6 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | ​0x801C044C  | There is no core window for the current thread. |
 | 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
 
-
 ## Related topics
 
 - [Windows Hello for Business](hello-identity-verification.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

@@ -44,6 +44,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**.
 6. Click **OK** to return to **Active Directory Users and Computers**.
 
+> [!NOTE]
+> If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users.
+
 ### Section Review
 
 > [!div class="checklist"]
@@ -63,4 +66,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

windows/security/identity-protection/hello-for-business/passwordless-strategy.md

@@ -265,7 +265,7 @@ The account options on a user account includes an option -- **Smart card is requ
 **SCRIL setting for a user on Active Directory Users and Computers.**
 
 When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
-- the do not know their password.
+- they do not know their password.
 - their password is 128 random bits of data and is likely to include non-typable characters.
 - the user is not asked to change their password
 - domain controllers do not allow passwords for interactive authentication

windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml

@@ -17,45 +17,10 @@ metadata:
   ms.topic: faq
   ms.date: 11/10/2021
   ms.technology: mde
+
 title: Advanced security auditing FAQ
-summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
-  
-  -   [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-)
 
-  -   [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
+summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.  
-
-  -   [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
-
-  -   [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
-
-  -   [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-)
-
-  -   [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-)
-
-  -   [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-)
-
-  -   [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-)
-
-  -   [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-)
-
-  -   [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
-
-  -   [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
-
-  -   [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
-
-  -   [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-)
-
-  -   [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-)
-
-  -   [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-)
-
-  -   [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-)
-
-  -   [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-)
-
-  -   [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-)
-  
 
 sections:
   - name: Ignored

windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md

@@ -14,12 +14,18 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 04/30/2022
+ms.date: 05/09/2022
 ms.technology: windows-sec
 ---
 
 # Understanding Application Control events
 
+**Applies to**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and later (limited events)
+
 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
 
 - Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**