Merge branch 'sheshachary-5859198' of https://github.com/MicrosoftDocs/windows-docs-pr into sheshachary-5859198

2025-05-13 13:57:22 +00:00 · 2022-05-11 12:40:57 +05:30 · 2022-05-11 12:40:57 +05:30 · 20813dbaa7
commit 20813dbaa7
parent fe209ee1be 45c77a5738
54 changed files with 2543 additions and 1625 deletions
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -2,6 +2,27 @@
 ## Week of May 02, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
 | 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
 | 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
 | 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
 | 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
 | 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
 | 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
 | 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
 | 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
 | 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
 | 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
 | 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
 | 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
 | 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
 ## Week of April 25, 2022
--- a/template.md
+++ b/template.md
@ -0,0 +1,292 @@
 ---
 title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
 description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
 ms.date: mm/dd/yyyy
 ms.prod: windows
 ms.technology: windows #more to come...
 ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
 ms.localizationpriority: medium #high null
 author: # GitHub username (aczechowski)
 ms.author: # MS alias (aaroncz)
 ms.reviewer: # MS alias of feature PM, optional
 manager: # MS alias of manager (dougeby)
 ms.collection: # optional
 - # highpri - high priority, strategic, important, current, etc. articles
 - # openauth - the article is owned by PM or community for open authoring
 ---
 # Metadata and Markdown Template
 _Applies to:_
 - Windows 11
 - Windows 10
 This docs.ms template contains examples of markdown syntax, and guidance on setting the metadata. It's available in the root directory of the Windows repository (`~\windows-docs-pr\template.md`).
 When you create a new markdown file article, **Save as** this template to a new file, fill out the metadata as specified below, set the H1 heading above (`#`) to the title of the article, and delete the template content.
 ## Metadata
 The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
 - You _must_ have a space between the colon (`:`) and the value for a metadata element.
 - Remove all metadata comments (`#`)
 - Colons in a value (like the title) break the metadata parser. In their place, use the HTML encoding `&#58;` (for example, `title: Azure Rights Management&#58; the basics`).
 - `title`: This title appears in search engine results and the browser tab.
  - Don't end with a period.
  - Use Microsoft style _sentence case_.
  - The title can match the H1 heading (`#`) and the name in the toc.yml, but doesn't have to.
  - It should be roughly 55 characters or less for best search engine optimization (SEO).
 - `description`: Summarize the content, shows in search engine results. 75-300 characters. Always end with a period.
 - `ms.date`: After you Save As this template to the target file, with the Docs Authoring Pack extension installed, right-click anywhere in the .md file to **Update `ms.date` metadata value** and save the file.
 - `author`: The author field contains the **Github username** of the author.
  - This value is used in GitHub notifications, assignments, and other build automation in both the private and public repositories.
  - It's also used to display the first (left-most) contributor in the published article.
 - `ms.author` & `manager`: Microsoft aliases. ms.author and author are typically the same.
  - `ms.reviewer`: Optionally can specify the name of the PM associated with the article. Just for reference, not currently used by any automation.
 - `ms.prod`: Should always be `windows` for Windows content. (Some older articles still use `w10` and `w11`.)
 - `ms.technology`: Select one of the options based on the feature area. Currently the only option is `windows`.
 - `ms.topic`: Select one of the options based on the content type. This attribute is used in calculating content health (different content types are used differently by customers, so have different metrics).
 - `ms.localizationpriority`: **Medium** is the default, which is machine translation. For specific, high-priority content that requires human translation (extra cost), set this value to **high**. For any components that are only `en-us`, set this value to **null** for no localization.
 ## Basic markdown and GFM
 All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
 - [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
 - [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
 - [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
 ## Headings
 Examples of first- and second-level headings are above.
 There **must** be only one first-level heading (`#`, also known as H1) in your article, which is displayed as the published title at the top of the page.
 Second-level headings (`##`, also known as H2) generate the on-page TOC that appears in the **In this article** section beside or underneath the on-page title.
 Limit the length of second-level headings to avoid excessive line wraps.
 Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
 Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
 Configuration Manager content does use custom anchors in some articles. They're almost always prefixed with `bkmk_`, for example, `bkmk_client`. These anchors can help reduce the anchor size, but does require HTML code that may not always be supported by the docs build system. There's other functionality with the Docs Authoring Pack and the build validation that only works with native header anchors. Use custom anchors sparingly, and remove them in older articles when possible. When removing custom anchors, make sure to update all internal links from the old custom anchor to the native header kebab format.
 ### Third-level heading
 Third-level headings (and beyond) can be any length, as they don't appear **In this article**.
 #### Fourth-level heading
 ##### Fifth level heading
 ## Text styling
 _Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps differentiate with the double asterisk (`**`) for bold)
 **Bold**
 ~~Strikethrough~~
 ## Links
 > [!TIP]
 > Use the **Docs Authoring Pack** extension to easily add links!
 >
 > 1. **Alt** + **M** to open the Docs Authoring Pack menu.
 > 1. Select **Link** and then follow the prompts.
 >
 > It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
 For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
 ### Article in the same repo
 To link to an article in the same repo, use **file-relative links**. These links have the path to the target as relative to the current file, and always include the `.md` or `.yml` extension. For example, `[Windows client documentation for IT Pros](index.yml)`
 #### Link to headings
 To link to a heading _in the same markdown file_, add just the anchor as the link. It's either a custom HTML anchor (`#bkmk_client`) or the kebab case of the header. For example: `[Link to an article in the same repo](#article-in-the-same-repo)`. Kebab case is preferred over a custom anchor, as the build validates the link. Make sure headings aren't duplicated in the same article.
 To link to a heading _in a markdown file in the same repo_, use relative linking + hashtag linking. For example: `[Windows 11 availability](../whats-new/windows-11-plan.md#windows-11-availability)`
 ### Another docs.ms article
 To link to another docs.ms article not in the same repo, use a **root-relative link**. This style supports the potential future use of the doc content in a separate disconnected environment, like for a high security government customer, which would have a different domain. For example, `[Public contributor guide](/contribute/additional-resources)`.
 ### External URLs
 To link to an external file, use the full URL as the link. For example: `[Github](https://www.github.com)`
 - The link should always be **HTTPS**.
 - Remove any local from the URL, unless it doesn't work without it. Most all microsoft.com properties support language neutral URLs.
 ### Example links
 If you need to provide an example of a URL in the article, enclose it in a code block. For example: `https://www.contoso.com`
 This style makes sure the URL is ignored during build validation and the broken links report.
 ### Tips for links
 When your pull request runs, the build system validates all file-relative links and non-custom anchors. It will return a warning if it can't resolve a link.
 VSCode supports file-relative links and non-custom anchors, so you can easily navigate between pages, and test that links are valid.
 There's a broken link report that runs once a week in the build system, get the report from OPS.
 Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
 For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
 ## Lists
 ### Ordered lists
 1. This list is ordered.
 1. This list is ordered.
 1. This list is ordered.
 1. This list is ordered.
 1. This list is ordered.
 You can explicitly number each line if needed, but this style lets the build autonumber it. This style is beneficial if you need to add or remove a step.
 #### Ordered list with an embedded list
 1. This list is ordered.
 1. This list is ordered.
 1. This list is ordered.
 1. This list is ordered.
    1. This list is embedded.
    1. This list is embedded.
 1. This list is ordered.
 1. This list is ordered.
 ### Unordered Lists
 - This list is bulleted.
 - This list is bulleted.
 - This list is bulleted.
 - This list is bulleted.
 - This list is bulleted.
 #### Unordered list with embedded lists
 - This list is bulleted.
 - This list is bulleted.
 - This list is bulleted.
  - This list is embedded.
  - This list is embedded.
 - This list is bulleted.
 - This list is bulleted.
    1. This list is embedded and ordered.
    1. This list is embedded and ordered.
 - This list is bulleted.
 ## Horizontal rule
 ---
 ## Tables
 | Tables        | Are           | Cool  |
 | ------------- |:-------------:| -----:|
 | col 3 is      | right-aligned | $1600 |
 | col 2 is      | centered      |   $12 |
 | col 1 is default | left-aligned     |    $1 |
 The Docs Authoring Pack has features to manage markdown tables. Select the entire table, then right-click to see the options.
 ## Code
 ### Codeblock
 ```json
 {
   "aggregator": {
   "batchSize": 1000,
   flushTimeout": "00:00:30"
   }
 }
 ```
 ### In-line code
 This sentence includes an example of `in-line code`.
 ## Blockquote
 > The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
 ## Images
 Use the Docs Authoring Pack menu to easily insert media.
 Always include alt text for accessibility, and always end it with a period.
 ### Static Image
 :::image type="content" source="media/deploy1.png" alt-text="A graphic of a laptop as a suitcase.":::
 ### Image with lightbox
 :::image type="content" source="media/deploy2.png" alt-text="A graphic of a computer with external monitor." lightbox="media/W10-WaaS-poster.PNG":::
 ### Animated gif
 :::image type="content" source="media/docs-filter-toc.gif" alt-text="Animated gif of 'filter by title' option in the table of contents.":::
 ### Linked Image
 [![Alt text for linked image.](memdocs/media/docs-github-edit.png)](https://azure.microsoft.com)
 ## Alerts
 ### Note
 > [!NOTE]
 > This is NOTE
 ### Warning
 > [!WARNING]
 > This is WARNING
 ### Tip
 > [!TIP]
 > This is TIP
 ### Caution
 > [!CAUTION]
 > This is CAUTION
 ### Important
 > [!IMPORTANT]
 > This is IMPORTANT
 ## Videos
 ### YouTube
 > [!VIDEO https://www.youtube.com/embed/rnhnZTrSZzI]
 ## docs.ms extensions
 > [!div class="nextstepaction"]
 > [Next step action](/mem/configmgr)
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@ -79,7 +79,14 @@ For a local account, the domain name should be the device name. When Get is exec
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
 <a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
 Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
 > [!Note]
 > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
 >
 > Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
 Enterprises can use this to easily configure and manage the curated lockdown experience.
@ -248,7 +255,7 @@ KioskModeApp Replace
 ## AssignedAccessConfiguration XSD
-Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -259,11 +266,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
    xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
    xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
    targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
    >
    <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
    <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
    <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
    <xs:complexType name="profile_list_t">
        <xs:sequence minOccurs="1" >
@ -273,8 +282,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
    <xs:complexType name="kioskmodeapp_t">
        <xs:attribute name="AppUserModelId" type="xs:string"/>
        <xs:attributeGroup ref="ClassicApp_attributeGroup"/>
    </xs:complexType>
    <xs:attributeGroup name="ClassicApp_attributeGroup">
        <xs:attribute ref="v4:ClassicAppPath"/>
        <xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
    </xs:attributeGroup>
    <xs:complexType name="profile_t">
        <xs:choice>
            <xs:sequence minOccurs="1" maxOccurs="1">
@ -283,7 +298,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
                <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
                <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
            </xs:sequence>
-            <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
+            <xs:sequence minOccurs="1" maxOccurs="1">
                <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
                    <xs:key name="mutualExclusionAumidOrClassicAppPath">
                        <xs:selector xpath="."/>
                        <xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
                    </xs:key>
                    <xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
                        <xs:selector xpath="."/>
                        <xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
                    </xs:unique>
                </xs:element>
                <xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
            </xs:sequence>
        </xs:choice>
        <xs:attribute name="Id" type="guid_t" use="required"/>
        <xs:attribute name="Name" type="xs:string" use="optional"/>
@ -384,6 +411,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
    <xs:simpleType name="specialGroupType_t">
        <xs:restriction base="xs:string">
            <xs:enumeration value="Visitor"/>
            <xs:enumeration value="DeviceOwner"/>
        </xs:restriction>
    </xs:simpleType>
@ -422,7 +450,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
            </xs:all>
        </xs:complexType>
    </xs:element>
-</xs:schema>
+</xs:schema>);
 ```
 Here's the schema for new features introduced in Windows 10 1809 release
@ -501,7 +529,32 @@ Schema for Windows 10 prerelease
 </xs:schema>
 ```
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema
    elementFormDefault="qualified"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
    vc:minVersion="1.1"
    xmlns="http://schemas.microsoft.com/AssignedAccess/2021/config"
    xmlns:default="http://schemas.microsoft.com/AssignedAccess/2021/config"
    targetNamespace="http://schemas.microsoft.com/AssignedAccess/2021/config"
    >
    <xs:attribute name="ClassicAppPath" type="xs:string"/>
    <xs:attribute name="ClassicAppArguments" type="xs:string"/>
    <xs:element name="BreakoutSequence" type="BreakoutSequence_t" />
    <xs:complexType name="BreakoutSequence_t">
        <xs:attribute name="Key" type="xs:string" use="required"/>
    </xs:complexType>
 </xs:schema>
 ```
 To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
 ```xml
 <AssignedAccessConfiguration
@ -517,6 +570,7 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
 ## Example AssignedAccessConfiguration XML
 Example XML configuration for a multi-app kiosk:
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
@ -568,6 +622,53 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
 </AssignedAccessConfiguration>
 ```
 Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
  xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
  >
  <Profiles>
    <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
      <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
                                  v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>EdgeKioskUser</Account>
      <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
    </Config>
  </Configs>
 </AssignedAccessConfiguration>
 ```
 Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
 > [!NOTE]
 > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
  xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
  >
  <Profiles>
    <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
      <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
                                  v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
      <v4:BreakoutSequence Key="Ctrl+A"/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>EdgeKioskUser</Account>
      <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
    </Config>
  </Configs>
 </AssignedAccessConfiguration>
 ```
 ## Configuration examples
 XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@ -22,8 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is for Windows 10, version 1803.
+The XML below is for Windows 10, version 1909.
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -50,7 +49,7 @@ The XML below is for Windows 10, version 1803.
                <Permanent />
            </Scope>
            <DFType>
-                <MIME>com.microsoft/2.0/MDM/AssignedAccess</MIME>
+                <MIME>com.microsoft/4.0/MDM/AssignedAccess</MIME>
            </DFType>
        </DFProperties>
        <Node>
@ -208,4 +207,3 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 05/09/2022
 ms.reviewer: 
 manager: dansimp
 ---
@ -72,6 +72,9 @@ manager: dansimp
 <hr/>
 > [!Important]
 > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)).
 <!--Policy-->
 <a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**  
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -266,7 +266,7 @@ ms.collection: highpri
 Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time.
 > [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
 Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@ -361,7 +361,7 @@ ADMX Info:
 Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
 > [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
 Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@ -426,12 +426,12 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
 - 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
 - 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
+- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 – Turn off automatic updates.
+- 5 - Turn off automatic updates.
 > [!IMPORTANT]
@ -536,8 +536,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 – Not configured.
+- 0 - Not configured.
- 1 – Allowed. Accepts updates received through Microsoft Update.
+- 1 - Allowed. Accepts updates received through Microsoft Update.
 > [!NOTE]
 > Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
@ -588,8 +588,8 @@ This policy is specific to desktop and local publishing via WSUS for third-party
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -629,7 +629,7 @@ Even when Windows Update is configured to receive updates from an intranet updat
 Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
 > [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
 <!--/Description-->
 <!--ADMXMapped-->
@ -643,8 +643,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 – Update service isn't allowed.
+- 0 - Update service isn't allowed.
- 1 (default) – Update service is allowed.
+- 1 (default) - Update service is allowed.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -856,8 +856,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 1 (default) – Auto Dismissal.
+- 1 (default) - Auto Dismissal.
- 2 – User Dismissal.
+- 2 - User Dismissal.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -1306,7 +1306,7 @@ Defers Feature Updates for the specified number of days.
 Supported values are 0-365 days.
 > [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
 <!--/Description-->
 <!--ADMXMapped-->
@ -1393,7 +1393,7 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
 Allows IT Admins to specify update delays for up to four weeks.
@ -1471,7 +1471,7 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
 Allows IT Admins to specify other upgrade delays for up to eight months.
@ -1616,18 +1616,18 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
+Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards.
 Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
 The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
-IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy. 
+IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy. 
 > [!NOTE]
 > Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
 >
-> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. 
+> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. 
 >
 > Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues.
@ -2069,8 +2069,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
+- 0 (default) - Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
+- 1 - Exclude Windows Update drivers.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2121,8 +2121,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Disabled.
+- 0 (default) - Disabled.
- 1 – Enabled.
+- 1 - Enabled.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2164,8 +2164,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Don't ignore MO download limit for apps and their updates.
+- 0 (default) - Don't ignore MO download limit for apps and their updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
 <!--/SupportedValues-->
 <!--Validation-->
@ -2217,8 +2217,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Don't ignore MO download limit for OS updates.
+- 0 (default) - Don't ignore MO download limit for OS updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
 <!--/SupportedValues-->
 <!--Validation-->
@ -2312,7 +2312,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
 Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
@ -2333,8 +2333,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Deferrals aren't paused.
+- 0 (default) - Deferrals aren't paused.
- 1 – Deferrals are paused.
+- 1 - Deferrals are paused.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2383,8 +2383,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Feature Updates aren't paused.
+- 0 (default) - Feature Updates aren't paused.
- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
+- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2476,8 +2476,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Quality Updates aren't paused.
+- 0 (default) - Quality Updates aren't paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2580,7 +2580,7 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
-Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
+Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10".
 <!--/SupportedValues-->
 <!--Example-->
@ -2624,7 +2624,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
 Allows the IT admin to set a device to General Availability Channel train.
@ -2640,8 +2640,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – User gets upgrades from General Availability Channel (Targeted).
+- 0 (default) - User gets upgrades from General Availability Channel (Targeted).
- 1 – User gets upgrades from General Availability Channel.
+- 1 - User gets upgrades from General Availability Channel.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2675,7 +2675,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
 Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
@ -2686,8 +2686,8 @@ Supported operations are Get and Replace.
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
+- 0 - Not configured. The device installs all applicable updates.
- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2769,7 +2769,7 @@ Supported values are 15, 30, or 60 (minutes).
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
 Allows the IT Admin to specify the period for autorestart warning reminder notifications.
@ -2839,14 +2839,14 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Every day
+- 0 (default) - Every day
- 1 – Sunday
+- 1 - Sunday
- 2 – Monday
+- 2 - Monday
- 3 – Tuesday
+- 3 - Tuesday
- 4 – Wednesday
+- 4 - Wednesday
- 5 – Thursday
+- 5 - Thursday
- 6 – Friday
+- 6 - Friday
- 7 – Saturday
+- 7 - Saturday
 <!--/SupportedValues-->
 <!--/Policy-->
@ -3110,7 +3110,7 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
 Enables the IT admin to schedule the time of the update installation.
@ -3178,8 +3178,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 (default) – Enabled
+- 0 (default) - Enabled
- 1 – Disabled
+- 1 - Disabled
 <!--/SupportedValues-->
 <!--/Policy-->
@ -3675,9 +3675,9 @@ Display options for update notifications. This policy allows you to define what
 Options: 
-  0 (default) – Use the default Windows Update notifications
+-  0 (default) - Use the default Windows Update notifications
-  1 – Turn off all notifications, excluding restart warnings
+-  1 - Turn off all notifications, excluding restart warnings
-  2 – Turn off all notifications, including restart warnings
+-  2 - Turn off all notifications, including restart warnings
 > [!IMPORTANT]
 > If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803.
          </AccessType>
          <Description>
            Roll back Latest Quality Update, if the machine meets the following conditions:
-            Condition 1: Device must be WUfB Connected
+            Condition 1: Device must be Windows Update for Business connected
            Condition 2: Device must be in a Paused State
            Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
            If the conditions are not true, the device will not Roll Back the Latest Quality Update.
@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803.
          </AccessType>
          <Description>
            Roll Back Latest Feature Update, if the machine meets the following conditions:
-            Condition 1: Device must be WUfB Connected
+            Condition 1: Device must be Windows Update for Business connected
            Condition 2: Device must be in Paused State
            Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
            Condition 4: Machine should be within the uninstall period
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@ -46,7 +46,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
 ## Guidelines for web browsers
-Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode).
 In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
 In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. 
@ -156,6 +158,12 @@ You can create your own web browser Windows app by using the WebView class. Lear
 Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
 ## Customize your breakout sequence
 Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience.
 There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used.
 ## App configuration
 Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. 
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@ -342,3 +342,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
 `HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 > [!NOTE]
 > **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
 The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@ -254,16 +254,40 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
 ```
 ## Microsoft Edge Kiosk XML Sample
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
  xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
  >
  <Profiles>
    <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
      <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
        <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
                                  v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
        <v4:BreakoutSequence Key="Ctrl+A"/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>EdgeKioskUser</Account>
      <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
    </Config>
  </Configs>
 </AssignedAccessConfiguration>
 ```
 ## Global Profile Sample XML
 Global Profile is supported on:
 - Windows 10 version 2004+
 - Windows 11
 - Windows 10, version 2004 and later
-Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
+Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
-This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
+This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
@ -643,12 +667,11 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
 ## XSD for AssignedAccess configuration XML
 > [!NOTE]
->Updated for Windows 10, version 1903+.
+> Updated for Windows 10, version 1903 and later.
-The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
+The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema
    elementFormDefault="qualified"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
@ -656,11 +679,13 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
    xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
    xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
    targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
    >
    <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
    <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
    <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
    <xs:complexType name="profile_list_t">
        <xs:sequence minOccurs="1" >
@ -670,8 +695,14 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
    <xs:complexType name="kioskmodeapp_t">
        <xs:attribute name="AppUserModelId" type="xs:string"/>
        <xs:attributeGroup ref="ClassicApp_attributeGroup"/>
    </xs:complexType>
    <xs:attributeGroup name="ClassicApp_attributeGroup">
        <xs:attribute ref="v4:ClassicAppPath"/>
        <xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
    </xs:attributeGroup>
    <xs:complexType name="profile_t">
        <xs:choice>
            <xs:sequence minOccurs="1" maxOccurs="1">
@ -680,7 +711,19 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
                <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
                <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
            </xs:sequence>
-            <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
+            <xs:sequence minOccurs="1" maxOccurs="1">
                <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
                    <xs:key name="mutualExclusionAumidOrClassicAppPath">
                        <xs:selector xpath="."/>
                        <xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
                    </xs:key>
                    <xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
                        <xs:selector xpath="."/>
                        <xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
                    </xs:unique>
                </xs:element>
                <xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
            </xs:sequence>
        </xs:choice>
        <xs:attribute name="Id" type="guid_t" use="required"/>
        <xs:attribute name="Name" type="xs:string" use="optional"/>
@ -781,6 +824,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
    <xs:simpleType name="specialGroupType_t">
        <xs:restriction base="xs:string">
            <xs:enumeration value="Visitor"/>
            <xs:enumeration value="DeviceOwner"/>
        </xs:restriction>
    </xs:simpleType>
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@ -15,21 +15,59 @@ manager: dougeby
 # ADMXIngestion (Windows Configuration Designer reference)
-Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration). 
+Starting in Windows 10, version 1703, you can import (*ingest*) Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration). 
 - The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file. 
 - The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
 >[!IMPORTANT]
->Only per-device policies can be set using a provisioning package.
+>Only device scope policies (class="Machine" or class="Both") can be set using a provisioning package.
 ## Applies to
-| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Enterprise |
 | --- | :---: | :---: | :---: | :---: |
-| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy)  | ✔️ |  |  |  |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy)  | ✔️ |  |  | ✔️ |
-| [ConfigOperations](#configoperations)  | ✔️ |  |   |   |
+| [ConfigOperations](#configoperations)  | ✔️ |  |   | ✔️ |
 ## ConfigOperations
 Use **ConfigOperations** to import ADMX policies from an ADMX file.
 1. Enter an app name, and then click **Add**. 
    This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Chromium Edge, enter an app name.
    Example, `MSEdgeEfficiencyMode`
 2. Select the app name in the Customizations pane, select a setting type, and then click **Add**. 
    The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add. 
 3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
    The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future. 
    Example, `MSEdgeEfficiencyMode`
    >[!NOTE]
    >Keeping the AdmxFileUid and AppName the same will help prevent authorizing errors. 
 4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
    >[!NOTE]
    >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).  
    Example, EfficiencyMode
    ```XML
    <policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)">      <parentCategory ref="Performance"/>      <supportedOn ref="SUPPORTED_WIN7_V96"/>      <elements>        <enum id="EfficiencyMode" valueName="EfficiencyMode">          <item displayName="$(string.EfficiencyMode_AlwaysActive)">            <value>              <decimal value="0"/>            </value>          </item>          <item displayName="$(string.EfficiencyMode_NeverActive)">            <value>              <decimal value="1"/>            </value>          </item>          <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)">            <value>              <decimal value="2"/>            </value>          </item>          <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)">            <value>              <decimal value="3"/>            </value>          </item>        </enum>      </elements>    </policy>
    ```
 5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
 <span id="convert"/>
 ## ConfigADMXInstalledPolicy
@ -40,59 +78,121 @@ In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for tha
 1. Enter an area name, and then click **Add**. The structure of the area name is the following:
-    `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
+    `<AppName (from ConfigOperations)>~<SettingType>~<category name from ADMX>`
    See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example. 
-    Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
+    Example: `MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance`
-2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
+2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. 
 3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, `<disabled/>`.
-## ConfigOperations
+    Example, `EfficiencyMode`.
-Use **ConfigOperations** to import an ADMX file or policies from an ADMX file.
+3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. 
-1. Enter an app name, and then click **Add**. 
+    Example, `<enabled/><data id="EfficiencyMode" Value="2">`.
    This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
-2. Select the app name in the Customizations pane, select a setting type, and then click **Add**. 
+## Category and policy in ADMX
-    The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add. 
+The following samples show the ADMX file for Chromium Edge used in the examples in the procedures above. The first sample highlights the category names.
-3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+```XML
  <categories>
    <category displayName="$(string.microsoft_edge)" name="microsoft_edge"/>
    <category displayName="$(string.Performance_group)" name="Performance">
      <parentCategory ref="microsoft_edge"/>
    </category>
  </categories>
 ```
 <!--![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)-->
-    The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future. 
+The next sample highlights the specific policy.
-4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+```XML
    <policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)">
      <parentCategory ref="Performance"/>
      <supportedOn ref="SUPPORTED_WIN7_V96"/>
      <elements>
        <enum id="EfficiencyMode" valueName="EfficiencyMode">
          <item displayName="$(string.EfficiencyMode_AlwaysActive)">
            <value>
              <decimal value="0"/>
            </value>
          </item>
          <item displayName="$(string.EfficiencyMode_NeverActive)">
            <value>
              <decimal value="1"/>
            </value>
          </item>
          <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)">
            <value>
              <decimal value="2"/>
            </value>
          </item>
          <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)">
            <value>
              <decimal value="3"/>
            </value>
          </item>
        </enum>
      </elements>
    </policy>
 ```
 <!--![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)-->
    >[!NOTE]
    >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).  
 5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
 <span id="convert"/>
 ## Convert multi-line to single line
 Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
 ```PS
-$path="file path"
+$outputFile = "output.admx"
-(Get-Content $admxFile -Raw).Replace("`r`n","") | Set-Content $path -Force
+$inputFile = "input.admx"
 (Get-Content $inputFile -Raw).Replace("`r`n","") | Set-Content $outputFile -Force
 ```
-## Category and policy in ADMX
+## Configuration Samples
-
+Example: Edge Efficiency Mode
-The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
+```XML
-
+<?xml version="1.0" encoding="utf-8"?>
-![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)
+<WindowsCustomizations>
-
+  <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
-The next image highlights the specific policy.
+    <ID>{d1ab1e3e-6e6d-4bd5-b35b-34cca18d2e16}</ID>
-
+    <Name>MSEdgeEfficiencyMode</Name>
-![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)
+    <Version>1.1</Version>
-
+    <OwnerType>OEM</OwnerType>
    <Rank>0</Rank>
    <Notes></Notes>
  </PackageConfig>
  <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
    <Customizations>
      <Common>
        <ADMXIngestion>
          <ConfigADMXInstalledPolicy>
            <AreaName>
              <PolicyName AreaName="MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance" Name="MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance">
                <SetAdmxPolicy PolicyName="EfficiencyMode" Name="EfficiencyMode">&lt;enabled/&gt;&lt;data id="EfficiencyMode" value="2"/&gt;</SetAdmxPolicy>
              </PolicyName>
            </AreaName>
          </ConfigADMXInstalledPolicy>
          <ConfigOperations>
            <ADMXInstall>
              <AppName>
                <SettingType AppName="MSEdgeEfficiencyMode" Name="MSEdgeEfficiencyMode">
                  <ADMXFileUniqueID SettingType="Policy" Name="Policy">
                    <InsertADMXFile AdmxFileUid="MSEdgeEfficiencyMode" Name="MSEdgeEfficiencyMode">&lt;?xml version="1.0" ?&gt;&lt;policyDefinitions revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions"&gt;  &lt;!--microsoft_edge version: 96.0.1054.62--&gt;  &lt;policyNamespaces&gt;    &lt;target namespace="Microsoft.Policies.Edge" prefix="microsoft_edge"/&gt;    &lt;using namespace="Microsoft.Policies.Windows" prefix="windows"/&gt;  &lt;/policyNamespaces&gt;  &lt;resources minRequiredRevision="1.0"/&gt;  &lt;supportedOn&gt;    &lt;definitions&gt;      &lt;definition displayName="$(string.SUPPORTED_WIN7_V96)" name="SUPPORTED_WIN7_V96"/&gt;    &lt;/definitions&gt;  &lt;/supportedOn&gt;  &lt;categories&gt;    &lt;category displayName="$(string.microsoft_edge)" name="microsoft_edge"/&gt;    &lt;category displayName="$(string.Performance_group)" name="Performance"&gt;      &lt;parentCategory ref="microsoft_edge"/&gt;    &lt;/category&gt;  &lt;/categories&gt;  &lt;policies&gt;    &lt;policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)"&gt;      &lt;parentCategory ref="Performance"/&gt;      &lt;supportedOn ref="SUPPORTED_WIN7_V96"/&gt;      &lt;elements&gt;        &lt;enum id="EfficiencyMode" valueName="EfficiencyMode"&gt;          &lt;item displayName="$(string.EfficiencyMode_AlwaysActive)"&gt;            &lt;value&gt;              &lt;decimal value="0"/&gt;            &lt;/value&gt;          &lt;/item&gt;          &lt;item displayName="$(string.EfficiencyMode_NeverActive)"&gt;            &lt;value&gt;              &lt;decimal value="1"/&gt;            &lt;/value&gt;          &lt;/item&gt;          &lt;item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)"&gt;            &lt;value&gt;              &lt;decimal value="2"/&gt;            &lt;/value&gt;          &lt;/item&gt;          &lt;item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)"&gt;            &lt;value&gt;              &lt;decimal value="3"/&gt;            &lt;/value&gt;          &lt;/item&gt;        &lt;/enum&gt;      &lt;/elements&gt;    &lt;/policy&gt;  &lt;/policies&gt;&lt;/policyDefinitions&gt;</InsertADMXFile>
                  </ADMXFileUniqueID>
                </SettingType>
              </AppName>
            </ADMXInstall>
          </ConfigOperations>
        </ADMXIngestion>
      </Common>
    </Customizations>
  </Settings>
 </WindowsCustomizations>
 ```
 ## Related topics
--- a/windows/configuration/windows-10-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-10-accessibility-for-ITPros.md
@ -89,3 +89,5 @@ This topic helps IT administrators learn about built-in accessibility features,
 [Inclusive Design](https://www.microsoft.com/design/inclusive)
 [Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
 On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
 4. Right-click the **Applications** node, and create a new folder named **Adobe**.
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@ -190,7 +190,7 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download
 ### Maximum Background Download Bandwidth
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set.
 ### Percentage of Maximum Download Bandwidth
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@ -91,6 +91,18 @@ When users start scanning in Windows Update through the Settings panel, the foll
      ![Windows Update scan log 1.](images/update-scan-log-1.png)
 #### Proxy Behavior
 For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
 - System proxy is attempted (set using the `netsh` command).
 - If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
    > [!Note]
    > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
 For WU URLs that _aren't_ used for update detection, such as for download or reporting:
 - User proxy is attempted.
 - If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted.
 #### Identifies service IDs
 - Service IDs indicate which update source is being scanned. 
--- a/windows/deployment/update/media/update-compliance-diagnostic-data-viewer.png
+++ b/windows/deployment/update/media/update-compliance-diagnostic-data-viewer.png
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@ -8,11 +8,12 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: deploy
 audience: itpro
-author: aczechowski
+author: mestew
-ms.author: aaroncz
+ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ms.date: 04/27/2022
 ---
 # Configuring devices through the Update Compliance Configuration Script
@ -98,3 +99,38 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
 | 93    | Failed to update value for EnableAllowUCProcessing| 
 | 94    | Unexpected exception in EnableAllowUCProcessing| 
 | 99    | Device is not Windows 10.| 
 ## Verify device configuration
 In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:
 1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). 
   1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
   1. Under **View diagnostic data**, select **On** for the following option:
       - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)**
       - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)**
 1. Select **Open Diagnostic Data Viewer**.
   - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer  from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
   - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed.
 1. Check for software updates on the client device.
    - Windows 11:
       1. Go to **Start**, select **Settings** > **Windows Update**.
       1. Select **Check for updates** then wait for the update check to complete.  
    - Windows 10:  
       1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**.
       1. Select **Check for updates** then wait for the update check to complete.
 1. Run the **Diagnostic Data Viewer**.
   1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
   1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**.
 1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: 
   - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-get-started.md#get-your-commercialid) of your Log Analytics workspace for Update Compliance.
   - The **MSP** field value under **protocol** should be either `16` or `18`.
   - If you need to send this data to Microsoft Support, select **Export data**.  
   :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png":::
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@ -1,5 +1,5 @@
 ---
-title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together
+title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
 description:  Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
 ms.prod: w10
 ms.mktglfcycl: manage
@ -23,7 +23,7 @@ ms.topic: article
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service.
+The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
 We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.
--- a/windows/hub/doc-test.md
+++ b/windows/hub/doc-test.md
@ -0,0 +1,154 @@
 ---
 title: Doc team test
 description: A test article for the doc team's use.
 ms.date: 05/10/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: reference
 ms.localizationpriority: null
 ROBOTS: NOINDEX
 author: aczechowski
 ms.author: aaroncz
 ms.reviewer: mstewart
 manager: dougeby
 ---
 # Doc team test
 This article is for testing purposes only.
 > [!NOTE]
 > For more markdown examples and tips, see the **template.md** file at the root of the repository. Including examples of links and images.
 ## Basic Markdown and GFM
 All basic and Github-flavored markdown is supported. For more information, see:
 - [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
 - [Github-flavored markdown (GFM) documentation](https://guides.github.com/features/mastering-markdown)
 ## Headings
 Examples of first and second-level headings are above.
 There **must** be only one first level heading in your article, which will be displayed as the on-page title.  
 Second-level headings will generate the on-page TOC that appears in the "In this article" section underneath the on-page title.
 ### Third-level heading (`###`)
 #### Fourth-level heading (`####`)
 ##### Fifth-level heading (`#####`)
 ## Text styling
 _Italics_ (`_`)
 **Bold** (`**`)
 ~~Strikethrough~~ (`~~`)
 ## Lists
 ### Ordered lists
 1. This
 1. Is
 1. An
 1. Ordered
 1. List
 #### Ordered list with an embedded list
 1. Here
 1. Comes
 1. An
 1. Embedded
    1. Scarlett
    1. Professor Plum
 1. Ordered
 1. List
 ### Unordered Lists
 - This
 - Is
 - A
 - Bulleted
 - List
 #### Unordered list with an embedded list
 - This
 - Bulleted
 - List
  - Peacock
  - Green
 - Contains
 - Other
    1. Colonel Mustard
        1. Yellow
        1. gold
    1. White
        1. cream
        1. silver
 - Lists
 ## Horizontal rule
 ---
 ## Tables
 | Tables              | Are           | Cool  |
 |---------------------|:-------------:|------:|
 | Column 3 is         | Right-aligned | $1600 |
 | Column 2 is         | Centered      | $12   |
 | Column 1 is default | Left-aligned  | $1    |
 ## Code
 ### Code block
 ```json
 {
   "aggregator": {
   "batchSize": 1000,
   flushTimeout": "00:00:30"
   }
 }
 ```
 ### In-line code
 This example is for `in-line code`.
 ## Blockquotes
 > The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
 ## Alerts
 ### Note
 > [!NOTE]
 > This alert is a NOTE
 ### Warning
 > [!WARNING]
 > This alert is a WARNING
 ### Tip
 > [!TIP]
 > This alert is a TIP
 ### Caution
 > [!CAUTION]
 > This alert is a CAUTION
 ### Important
 > [!IMPORTANT]
 > This alert is a IMPORTANT
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@ -6809,7 +6809,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -6823,7 +6823,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -6864,7 +6864,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@ -8296,7 +8296,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -8310,7 +8310,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -8351,7 +8351,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
@ -9584,8 +9584,8 @@ The following fields are available:
 - **UnifiedInstallerDeviceIsProSkuHresult**  The result code from checking whether a device is Pro SKU.
 - **UnifiedInstallerDeviceIsSccmManaged**  Boolean indicating whether a device is SCCM managed.
 - **UnifiedInstallerDeviceIsSccmManagedHresult**  The result code from checking whether a device is SCCM managed.
- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Windows Update for Business managed.
 - **UnifiedInstallerPlatformResult**  The result code from checking what platform type the device is.
 - **UnifiedInstallerPlatformType**  The enum indicating the type of platform detected.
 - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku**  The result code from checking whether a device is Home SKU.
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@ -3627,7 +3627,7 @@ The following fields are available:
 - **IsDeviceUninstallActive**  Indicates whether the OS (operating system) on the device was recently updated.
 - **IsDeviceUpdateNotificationLevel**  Indicates whether the device has a set policy to control update notifications.
 - **IsDeviceUpdateServiceManaged**  Indicates whether the device uses WSUS (Windows Server Update Services).
- **IsDeviceWUFBManaged**  If device is WUfB managed.
+- **IsDeviceWUFBManaged**  If device is Windows Update for Business managed.
 - **IsDeviceZeroExhaust**  Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft.
 - **IsGreaterThanMaxRetry**  Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count.
 - **IsVolumeLicensed**  Indicates whether a volume license was used to authenticate the operating system or applications on the device.
@ -6257,8 +6257,8 @@ The following fields are available:
 - **UnifiedInstallerDeviceIsProSkuHresult**  The result code from checking whether a device is Pro SKU.
 - **UnifiedInstallerDeviceIsSccmManaged**  Boolean indicating whether a device is SCCM managed.
 - **UnifiedInstallerDeviceIsSccmManagedHresult**  The result code from checking whether a device is SCCM managed.
- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Windows Update for Business managed.
 - **UnifiedInstallerPlatformResult**  The result code from checking what platform type the device is.
 - **UnifiedInstallerPlatformType**  The enum indicating the type of platform detected.
 - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku**  The result code from checking whether a device is Home SKU.
@ -6374,7 +6374,7 @@ The following fields are available:
 - **CV**  Correlation vector.
 - **GlobalEventCounter**  The global event counter counts the total events for the provider.
 - **PackageVersion**  The version for the current package.
- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for WUFB cloud membership.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for Windows Update for Business cloud membership.
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@ -8457,7 +8457,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  This is the device info.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -8472,7 +8472,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Represents the device info.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -8509,7 +8509,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Device in the General Availability Channel.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -58,6 +58,11 @@ The following sections list the components that make network connections to Micr
 The following table lists management options for each setting,  For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
 > [!IMPORTANT]
 > **If you need assistance with troubleshooting issues, please refer to**:</br> 
 >  - [Keep your device running smoothly](https://support.microsoft.com/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)</br>
 >  - [CSP - Troubleshooting](/windows/client-management/mdm/policy-csp-troubleshooting)
 | Setting | UI | Group Policy | Registry |
 | - | :-: | :-: | :-: |
@ -114,7 +119,8 @@ The following table lists management options for each setting,  For Windows 10 (
 | [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) |  |
-| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [32. Widgets](#bkmk-widgets) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 ### Settings for Windows Server 2016 with Desktop Experience
@ -861,6 +867,8 @@ Use Settings > Privacy & security to configure some settings that may be importa
 - [18.23 Voice Activation](#bkmk-voice-act)
 - [18.24 News and interests](#bkmk-priv-news)
 ### <a href="" id="bkmk-general"></a>18.1 General
 **General** includes options that don't fall into other areas.
@ -1528,6 +1536,13 @@ To turn this Off in the UI:
 - Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
 ### <a href="" id="bkmk-priv-news"></a>18.24 News and interests  
 In the **Windows Feeds** area, you can choose which apps have access to your diagnostic information.
 To turn this off:
 - Create a REG_DWORD registry setting named **EnableFeeds** in **HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Feeds** with a **value of 0 (zero)**.
 ### <a href="" id="bkmk-spp"></a>19. Software Protection Platform
@ -1722,7 +1737,7 @@ In Group Policy, configure:
   -and-
- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
+- Create an SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
 ### <a href="" id="bkmk-spotlight"></a>25. Personalized Experiences
@ -1905,6 +1920,14 @@ You can turn off Services Configuration by setting the following registry entrie
 Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**.
 ### <a href="" id="bkmk-widgets"></a>32. Widgets
 Widgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working.
 You can turn off Widgets by setting the following registry entries:
 Add a REG_DWORD value named **AllowWidgets** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets** and set the value to **0**.
 ### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
 |Allowed traffic endpoints|
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -55,8 +55,8 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@ -164,6 +164,10 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
 ## Certificates
 Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
 If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
 The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses.
 Additionally, it's used to download certificates that are publicly known to be fraudulent.
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 
 4. Compile reports on traffic going to public IP addresses.
 5.  The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6.  All traffic was captured in our lab using a IPV4 network.  Therefore, no IPV6 traffic is reported here. 
+6.  All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 
 7.  These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8.  These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
 |Area|Description|Protocol|Destination|
 |----------------|----------|----------|------------|
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
+||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|`blob.weather.microsoft.com`|
-|||HTTP|tile-service.weather.microsoft.com
+|||HTTP|tile-service.weather.microsoft.com|
-|||HTTP|tile-service.weather.microsoft.com
+|||HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US|
 ||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*|
 ||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net|
@ -68,7 +68,7 @@ The following methodology was used to derive these network endpoints:
 |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com|
 |||HTTPS|ris-prod-atm.trafficmanager.net|
 |||HTTPS|validation-v2.sls.trafficmanager.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||HTTP|ctldl.windowsupdate.com|
 |Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com|
@ -186,5 +186,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
 - [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@ -39,7 +39,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*|
@ -136,5 +136,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
 - [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@ -39,7 +39,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -53,9 +53,9 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoints are used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|blob.weather.microsoft.com|
 |||HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
@ -137,5 +137,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
 - [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@ -82,7 +82,7 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
 |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
 ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
-||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
 |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
 |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
 ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
 |Area|Description|Protocol|Destination|
 |----------------|----------|----------|------------|
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@ -66,9 +66,11 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoint is used to authenticate a device. If you  turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
 |Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
 |||HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
-||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
 |||HTTP|www.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
 |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
 |Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
 |||HTTPS|fs.microsoft.com|
@ -80,8 +82,8 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
 |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
 ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
-||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
-|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
 |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
 ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
 ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
@ -107,7 +109,7 @@ The following methodology was used to derive these network endpoints:
 |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
 |||HTTPS|settings.data.microsoft.com|
-|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 |||HTTPS/HTTP|*.pipe.aria.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
 |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
@ -124,7 +126,7 @@ The following methodology was used to derive these network endpoints:
 |||HTTP|emdl.ws.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
 |||HTTP|*.windowsupdate.com|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
 ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
 ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
@ -137,6 +139,7 @@ The following methodology was used to derive these network endpoints:
 To view endpoints for other versions of Windows 10 Enterprise, see:
 - [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
@ -145,6 +148,7 @@ To view endpoints for other versions of Windows 10 Enterprise, see:
 To view endpoints for non-Enterprise Windows 10 editions, see:
 - [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
 - [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md)
 - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
 - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
 - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@ -6328,7 +6328,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  This is the device info.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -6343,7 +6343,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Represents the device info.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -6380,7 +6380,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Device in the General Availability Channel.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@ -5789,8 +5789,8 @@ The following fields are available:
 - **UnifiedInstallerDeviceIsProSkuHresult**  The result code from checking whether a device is Pro SKU.
 - **UnifiedInstallerDeviceIsSccmManaged**  Boolean indicating whether a device is SCCM managed.
 - **UnifiedInstallerDeviceIsSccmManagedHresult**  The result code from checking whether a device is SCCM managed.
- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Windows Update for Business managed.
 - **UnifiedInstallerPlatformResult**  The result code from checking what platform type the device is.
 - **UnifiedInstallerPlatformType**  The enum indicating the type of platform detected.
 - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku**  The result code from checking whether a device is Home SKU.
@ -5917,7 +5917,7 @@ The following fields are available:
 - **CV**  Correlation vector.
 - **GlobalEventCounter**  The global event counter for counting total events for the provider.
 - **PackageVersion**  The version for the current package.
- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for WUFB cloud membership.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for Windows Update for Business cloud membership.
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@ -7212,7 +7212,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  This is the device info.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -7227,7 +7227,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Represents the device info.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -7270,7 +7270,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Device in the General Availability Channel.
- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@ -21,7 +21,9 @@ ms.date: 04/19/2017
 **Applies to**
 -   Windows 10
 -   Windows 11
 -   Windows Server 2016
 -   Windows Server 2019
 This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
@ -208,7 +210,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 | S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
 | S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
 | S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
-| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
+| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
 | S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.<br/>System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.<br/>When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
 | S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
 | S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
@ -243,6 +245,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 |S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
 |S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
 |S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
 |S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
 |S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
 |S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
 |S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
@ -314,6 +317,19 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCache
 All Capability SIDs are prefixed by S-1-15-3
 ## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
 You may see the following registry keys under AllCachedCapabilities:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
 All Capability SIDs are prefixed by S-1-15-3
 ## See also
 - [Access Control Overview](access-control.md)
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@ -24,7 +24,7 @@ ms.reviewer:
 - Windows 11
 **Requirements:**
-* Windows Hello for Business deployment (Hybrid or On-premises)
+* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
 * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
 * Windows 10, version 1709 or newer, or Windows 11
 * Bluetooth, Bluetooth capable phone - optional
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@ -13,8 +13,9 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 4/30/2021
+ms.date: 05/04/2022
-ms.reviewer: 
+ms.reviewer: prsriva
 ---
 # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
@ -25,7 +26,7 @@ ms.reviewer:
 - Hybrid deployment
 - Key trust
-You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
+You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
 > [!NOTE]
 > Before proceeding, you should familiarize yourself with device registration concepts such as:
@ -33,27 +34,30 @@ You are ready to configure device registration for your hybrid environment. Hybr
 > * Azure AD joined devices
 > * Hybrid Azure AD joined devices
 >
-> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
+> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview)
-## Configure Azure for Device Registration
+## Configure Hybrid Azure AD join
 Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal).
+Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
 - Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
 - Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
-<br><br>
+You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join).
-<hr>
+> [!NOTE]
 > Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-key-new-install.md)
+3. [New installation baseline](hello-hybrid-key-new-install.md)
-4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
+4. [Configure directory synchronization](hello-hybrid-key-trust-dirsync.md)
-5. Configure Azure Device Registration (*You are here*)
+5. Configure Azure Device Registration (*you're here*)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and provision](hello-hybrid-key-whfb-provision.md)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@ -36,6 +36,13 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
 <br>
 If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
 - Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
 - Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. 
 > [!NOTE]
 > Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
 <hr>
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@ -21,6 +21,7 @@ Learn more about identity and access management technologies in Windows 10.
 | Section | Description |
 |-|-|
 | [Local Administrator Password Solution](/defender-for-identity/cas-isp-laps) | Local Administrator Password Solution (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Azure Active Directory (Azure AD) and protected by an access control list (ACL), so only eligible users can read them or request a reset. 
 | [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
 | [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
 | [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@ -60,7 +60,7 @@ With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for
 The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-![uac consent prompt.](images/uacconsentprompt.gif)
+:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
 **The credential prompt**
@ -68,7 +68,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
 The following is an example of the UAC credential prompt.
-![uac credential prompt.](images/uaccredentialprompt.gif)
+:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
 **UAC elevation prompts**
@ -85,7 +85,7 @@ The elevation prompt color-coding is as follows:
 Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
-![uac shield icon.](images/uacshieldicon.png)
+:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
 The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
--- a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
+++ b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
--- a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png
+++ b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png
--- a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
+++ b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
--- a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png
+++ b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png
--- a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
+++ b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@ -77,7 +77,7 @@ Should a management tool remove or add the same profile name back and set **Alwa
 ## Trusted network detection
-This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
+This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
 Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@ -87,6 +87,9 @@ If you don't set or you disable this policy, the PKU2U protocol won't be used to
 If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
 ### Fix/Remediation
 This vulnerability was fixed on February 9, 2021, in the [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) Security Update.
 ## Related topics
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@ -162,3 +162,80 @@ To add this CLSID to the existing policy, follow these steps:
        </Value>
      </Setting>
    ```
 ### Default COM Object Allow List
 | File Name | CLSID |
 |--------|-----------|
 | scrrun.dll | EE09B103-97E0-11CF-978F-00A02463E06F |
 | scrrun.dll | 0D43FE01-F093-11CF-8940-00A0C9054228 |
 | vbscript.dll | 3F4DACA4-160D-11D2-A8E9-00104B365C9F |
 | WEX.Logger.Log | 70B46225-C474-4852-BB81-48E0D36F9A5A |
 | TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a | 
 | TE.Common.RuntimeParameters | 9f3d4048-6028-4c5b-a92d-01bc977af600 |
 | TE.Common.Verify | e72cbabf-8e48-4d27-b14e-1f347f6ec71a |
 | TE.Common.Interruption | 5850ba6f-ce72-46d4-a29b-0d3d9f08cc0b |
 | msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 | 
 | msxml6.dll | ED8C108E-4349-11D2-91A4-00C04F7969E8 |
 | mmcndmgr.dll | ADE6444B-C91F-4E37-92A4-5BB430A33340 |
 | puiobj.dll | B021FF57-A928-459C-9D6C-14DED0C9BED2 |
 | wdtf.dll | 041E868E-0C7D-48C6-965F-5FD576530E5B |
 | wdtfedtaction.dll | 0438C02B-EB9C-4E42-81AD-407F6CD6CDE1 |
 | wdtfioattackaction.dll | 078B1F7D-C34C-4B13-A7C3-9663901650F1 |
 | wdtfmutt2tcdsimpleioaction.dll | 0ABB2961-2CC1-4F1D-BE8E-9D330D06B77D |
 | wdtfdriverpackageaction.dll | 0D7237E6-930F-4682-AD0A-52EBFFD3AEE3 |
 | wdtf.dll | 0D972387-817B-46E7-913F-E9993FF401EB |
 | wdtf.dll | 0E770B12-7221-4A5D-86EE-77310A5506BB |
 | wdtfdriversetupdeviceaction.dll | 0FA57208-5100-4CD6-955C-FE69F8898973 |
 | wdtf.dll | 1080A020-2B47-4DA9-8095-DBC9CEFFFC04 |
 | wdtfnetworksimpleioaction.dll | 10CF2E12-1681-4C53-ADC0-932C84832CD8 |
 | wdtf.dll | 140F2286-3B39-4DE1-AF94-E083DEEA6BB9 |
 | wdtfinterfaces.dll | 1A7D6D61-4FE5-42E2-8F23-4FC1731C474F |
 | wdtfaudiosimpleioaction.dll | 1C658D42-4256-4743-A4C5-90BF3A3A186A |
 | wdtf.dll | 2236B1F3-4A33-48C2-B22C-A1F93A626F05 |
 | wdtfsystemaction.dll | 23440924-1AB0-41F2-A732-B75069E5C823 |
 | wdtfdriversetupsystemaction.dll | 238C0AEB-1DFC-4575-AAF3-C67FE15C1819 |
 | wdtffuzztestaction.dll | 23D0E542-0390-4873-9AC7-EF86E95E5215 |
 | wdtf.dll | 240FA08C-1D70-40CB-BDB3-2CC41A45496B |
 | wdtf.dll | 26CC4211-A9A6-4E5C-A30D-3C659BB4CDC9 |
 | wdtf.dll | 28EE5F0B-97D8-4A59-BAC8-A8A80E11F56B |
 | wdtf.dll | 2C9AF7D6-2589-4413-A2BA-9926EBCFD67C |
 | wdtf.dll | 32A9798D-987F-489E-8DB6-2EFB240248BD |
 | wdtfinterfaces.dll | 3C0B0D50-611A-4368-AC87-4488D6E0C4A7 |
 | wdtfcdromsimpleioaction.dll | 3F2C07F3-199B-4165-A948-B8B59A97FCC5 |
 | wdtf.dll | 485785D3-8820-4C3D-A532-4C0F66392A30 |
 | wdtfinterfaces.dll | 5EAE59BE-6946-44B7-A7B3-1D59811B246A |
 | wdtfiospyaction.dll | 698F6A82-7833-4499-8BA5-2145D604ABD4 |
 | wdtfdevicesupportaction.dll | 69D94D1B-0833-40D4-9AE7-7FC6F64F2624 |
 | wdtf.dll | 6EE5B280-3B0F-4358-9E20-99F169FAA700 |
 | wdtfmuttsimpleioaction.dll | 7776915A-0370-49A7-90B7-20EB36E80B6D |
 | wdtfcpuutilizationsystemaction.dll | 7926C7DE-299C-4B09-BB1B-649A4B917ED0 |
 | wdtfwirelesssimpleioaction.dll | 7A686BCD-9203-435C-8B06-9D7E7A518F98 |
 | wdtfbluetoothsimpleioaction.dll | 7E6C4615-6184-4077-A150-5D30F29993A4 |
 | wdtf.dll | 9663A00A-5B72-4810-9014-C77108062949 |
 | wdtfinterfaces.dll | 9C261B2B-DBD6-4087-B636-ABE1607989E8 |
 | wdtfwebcamsimpleioaction.dll | A1B74619-F02D-4574-8091-2AADD46A5B2B |
 | wdtf.dll | A2FD15D7-64F0-4080-AABD-884380202022 |
 | wdtfvolumesimpleioaction.dll | AC91E813-B116-4676-AE33-2988B590F3C7 |
 | wdtfconcurrentioaction.dll | AE278430-ABC2-49D1-AF30-910B9A88CB1E |
 | wdtf.dll | B43FF7F1-629C-4DE5-9559-1D09E0A07037 |
 | wdtfdriververifiersystemaction.dll | B7770265-B643-4600-A60B-93F9BA9F4B24 |
 | wdtfpnpaction.dll | B8D74985-4EB9-46AA-B2ED-DD2D918849DF |
 | wdtfmobilebroadbandsimpleioaction.dll | BCFBBB02-4DA5-466C-9DA7-DC672877B075 |
 | wdtf.dll | BE56FAD1-A489-4508-ABB7-3348E1C2C885 |
 | wdtfpnpaction.dll | C0B6C572-D37D-47CC-A89D-E6B9E0852764 |
 | wdtfioattackaction.dll | C88B324E-6B26-49BC-9D05-A221F15D7E13 |
 | wdtfsensorsiosimpleioaction.dll | C8BF7EC0-C746-4DE8-BA46-34528C6329FB |
 | wdtfanysimpleioaction.dll | C8C574DA-367B-4130-AED6-1EA61A5C6A4B |
 | simpleio_d3dtest.dll | CBC36BDB-A6BC-4383-8194-659470553488 |
 | wdtfsystemaction.dll | D30E1E07-AA39-4086-A7E6-9245FBD0A730 |
 | wdtf.dll | DD34E741-139D-4F4C-A1E2-D4184FCDD4F9 |
 | wdtfsupaction.dll | EA48171B-4265-48C3-B56B-70B175A7FDFA |
 | wdtfinterfaces.dll | EB9DB874-D23D-44D5-A988-85E966322843 |
 | wdtfinterfaces.dll | ED05EF76-09A9-4409-90CA-C5D0711CA057 |
 | wdtfwpdsimpleioaction.dll | EEA17F2B-8E8E-41A3-9776-A87FACD625D0 |
 | wdtfinterfaces.dll | F30FC2BB-F424-4A1F-8F95-68CFEE935E92 |
 | wdtfedtaction.dll | F6694E02-5AD0-476D-BD2D-43F7E5D10AF6 |
 | wdtfsmartcardreadersimpleioaction.dll | FA6F7E49-76C6-490C-B50E-8B1E8E0EEE2A |
 | wdtfiospyaction.dll | FE36026D-CDA8-4514-B3D9-57BDA3870D0C |
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@ -62,6 +62,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
    <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
    <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
    <RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
    <RuleCollection Type="ManagedInstaller" EnforcementMode="NotConfigured" />
 </AppLockerPolicy>
 ```
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@ -90,3 +90,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w
   ```
   This command will show the raw XML to verify the individual rules that were set.
 ## Remove Managed Installer feature
 To remove the Managed Installed from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule - To clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@ -14,7 +14,7 @@ author: denisebmsft
 ms.reviewer: jgeurten
 ms.author: deniseb
 manager: dansimp
-ms.date: 07/29/2021
+ms.date: 05/09/2022
 ms.custom: asr
 ms.technology: windows-sec
 ---
@ -32,7 +32,7 @@ ms.technology: windows-sec
 | Capability  | WDAC | AppLocker   |
 |-------------|------|-------------|
-| Platform support    | Available on Windows 10 and Windows 11  | Available on Windows 8+   |
+| Platform support    | Available on Windows 10, Windows 11, and Windows Server 2016 or later  | Available on Windows 8 or later   |
 | SKU availability     | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs.  | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs.  |
 | Management solutions   | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
 | Per-User and Per-User group rules | Not available (policies are device-wide)  | Available on Windows 8+  |
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -15,7 +15,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 08/23/2021
+ms.date: 09/29/2021
 ---
 # Microsoft recommended block rules
@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 | `Alex Ionescu` | `@aionescu`|
 | `Brock Mammen`| |
 | `Casey Smith` | `@subTee` | 
 | `James Forshaw` | `@tiraniddo` |
 | `Jimmy Bayne` | `@bohops` |
 | `Kim Oppalfens` | `@thewmiguy` |
 | `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
@ -137,6 +138,9 @@ Select the correct version of each .dll for the Windows release you plan to supp
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Dynamic Code Security</Option>
    </Rule>
  </Rules>
  <!-- EKUS
  -->
@ -187,7 +191,6 @@ Select the correct version of each .dll for the Windows release you plan to supp
    <Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535" />
    <Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535" />
    <Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535" />
    <!-- pick the correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on the release you are supporting -->
    <!-- the versions of these files in the 1903 release have this issue fixed, so they don’t need to be blocked -->
    <!-- RS1 Windows 1607
@ -783,7 +786,6 @@ Select the correct version of each .dll for the Windows release you plan to supp
    <Deny ID="ID_DENY_D_604" FriendlyName="PowerShellShell 604" Hash="B38E1198F82E7C2B3123984C017417F2A48BDFF5B6DBAD20B2438D7B65F6E39F" />
    <Deny ID="ID_DENY_D_605" FriendlyName="PowerShellShell 605" Hash="DE16A6B93178B6C6FC33FBF3E9A86CFF070DA6D3" />
    <Deny ID="ID_DENY_D_606" FriendlyName="PowerShellShell 606" Hash="A3EF9A95D1E859958DEBE44C033B4562EBB9B4C6E32005CA5C07B2E07A42E2BE" />
    <!-- pubprn.vbs
  -->
    <!-- rs2 x86fre
@ -864,12 +866,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
  -->
    <Deny ID="ID_DENY_D_285" FriendlyName="PSWorkflowUtility 285" Hash="99382ED8FA3577DFD903C01478A79D6D90681406" />
    <Deny ID="ID_DENY_D_286" FriendlyName="PSWorkflowUtility 286" Hash="C3A5DAB20947CA8FD092E75C25177E7BAE7884CA58710F14827144C09EA1F94B" />
    <!-- winrm.vbs
  -->
    <Deny ID="ID_DENY_D_583" FriendlyName="Winrm 583" Hash="3FA2D2963CBF47FFD5F7F5A9B4576F34ED42E552" />
    <Deny ID="ID_DENY_D_584" FriendlyName="Winrm 584" Hash="6C96E976DC47E0C99B77814E560E0DC63161C463C75FA15B7A7CA83C11720E82" />
  </FileRules>
  <!-- Signers
  -->
@ -929,13 +929,11 @@ Select the correct version of each .dll for the Windows release you plan to supp
          <FileRuleRef RuleID="ID_DENY_WSL" />
          <FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
          <FileRuleRef RuleID="ID_DENY_WSLHOST" />
          <!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
  <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
  <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
  <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
  -->
          <FileRuleRef RuleID="ID_DENY_D_1" />
          <FileRuleRef RuleID="ID_DENY_D_2" />
          <FileRuleRef RuleID="ID_DENY_D_3" />
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@ -46,9 +46,9 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
 ## Update
-### Windows Update for Business (WUfB)
+### Windows Update for Business
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
 ### Windows Insider Program for Business
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@ -120,7 +120,7 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware
 SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
-### Windows Update for Business (WUfB)
+### Windows Update for Business
 Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune.  For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure).
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@ -36,9 +36,9 @@ Pre-release Windows 10 feature updates are now available to IT administrators us
 The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. 
-### Windows Update for Business (WUfB)
+### Windows Update for Business
-If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
+If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
 ## Security
`@ -89,3 +89,5 @@ This topic helps IT administrators learn about built-in accessibility features,`

	`[Inclusive Design](https://www.microsoft.com/design/inclusive)`	`[Inclusive Design](https://www.microsoft.com/design/inclusive)`

		`[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)`