Merge branch 'main' into cz-20230630-term

2025-05-12 21:37:22 +00:00 · 2023-07-18 13:57:47 -07:00 · 2023-07-18 13:57:47 -07:00 · 2b55fc5a26
commit 2b55fc5a26
parent 69798288c6 e9a6f11035
486 changed files with 23458 additions and 24058 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -2,6 +2,41 @@
 ## Week of July 10, 2023
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 7/14/2023 | [Microsoft 365 Education Documentation](/education/index) | modified |
 | 7/14/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
 | 7/14/2023 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
 | 7/14/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified |
 | 7/14/2023 | [Windows for Education documentation](/education/windows/index) | modified |
 | 7/14/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
 | 7/14/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
 | 7/14/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
 | 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
 | 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
 | 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
 | 7/14/2023 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
 | 7/14/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
 | 7/14/2023 | [Windows for Education documentation](/education/windows/index) | added |
 | 7/14/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
 | 7/14/2023 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
 | 7/14/2023 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
 | 7/14/2023 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
 | 7/14/2023 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
 | 7/14/2023 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
 | 7/14/2023 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
 | 7/14/2023 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
 | 7/14/2023 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
 | 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
 | 7/14/2023 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
 | 7/14/2023 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
 | 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
 | 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
 ## Week of June 19, 2023
@ -15,12 +50,3 @@
 | 6/23/2023 | [Troubleshoot app deployment issues in Windows SE](/education/windows/tutorial-deploy-apps-winse/troubleshoot) | added |
 | 6/23/2023 | [Validate the applications deployed to Windows SE devices](/education/windows/tutorial-deploy-apps-winse/validate-apps) | added |
 | 6/23/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified |
 ## Week of May 29, 2023
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 5/30/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
 | 6/2/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@ -139,7 +139,7 @@ Provide an ad-free experience that is a safer, more private search option for K
 #### Azure AD and Office 365 Education tenant
 To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
-1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
+1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
 2. Domain join the Windows 10 PCs to your Azure AD tenant (this tenant is the same as your Office 365 tenant).
 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
 4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@ -113,7 +113,7 @@ Office 365 Education allows:
 * Students and faculty to use Office 365 Video to manage videos.
-* Students and faculty to use Yammer to collaborate through private social networking.
+* Students and faculty to use Viva Engage to collaborate through private social networking.
 * Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@ -68,7 +68,7 @@ Office 365 Education allows:
 - Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
 - Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
 - Students and faculty to use Office 365 Video to manage videos.
- Students and faculty to use Yammer to collaborate through private social networking.
+- Students and faculty to use Viva Engage to collaborate through private social networking.
 - Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
 For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
@ -236,7 +236,7 @@ Now that you've created your new Office 365 Education subscription, add the doma
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@ -28,15 +28,15 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
-|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|
 |**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
-|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
@ -51,7 +51,7 @@ ms.topic: include
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
 |**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
@ -70,11 +70,11 @@ ms.topic: include
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
-|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
-|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|
 |**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@ -28,15 +28,15 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
-|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|Yes|
 |**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
-|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
@ -51,7 +51,7 @@ ms.topic: include
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
@ -70,11 +70,11 @@ ms.topic: include
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@ -78,7 +78,7 @@ The **Billing Summary**  shows the charges against the billing profile since the
 | Credits |Credits you received from returns |
 | Azure credits applied |Your Azure credits that are automatically applied to Azure charges each billing period |
 | Subtotal |The pre-tax amount due |
-| Tax |The type and amount of tax that you pay, depending on the country of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. |
+| Tax |The type and amount of tax that you pay, depending on the country/region of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. |
 | Estimated total savings |The estimated total amount you saved from effective discounts. If applicable, effective discount rates are listed beneath the purchase line items in Details by Invoice Section. |
 ### Understand your charges
@ -101,7 +101,7 @@ The total amount due for each service family is calculated by subtracting Azure
 | Qty | Quantity purchased or consumed during the billing period |
 | Charges/Credits | Net amount of charges after credits/refunds are applied |
 | Azure Credit | The amount of Azure credits applied to the Charges/Credits|
-| Tax rate | Tax rate(s) depending on country |
+| Tax rate | Tax rate(s) depending on country/region |
 | Tax amount | Amount of tax applied to purchase based on tax rate |
 | Total | The total amount due for the purchase |
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@ -37,6 +37,7 @@
        "tier2"
      ],
      "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.author": "trudyha",
      "audience": "ITPro",
      "ms.service": "store-for-business",
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@ -2,33 +2,20 @@
-## Week of May 22, 2023
+## Week of July 10, 2023
 | Published On |Topic title | Change |
 |------|------------|--------|
-| 5/25/2023 | [Acquire apps in Microsoft Store for Business (Windows 10)](/microsoft-store/acquire-apps-microsoft-store-for-business) | modified |
+| 7/14/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
-| 5/25/2023 | [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices) | modified |
+| 7/14/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified |
-| 5/25/2023 | [App inventory management for Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/app-inventory-management-microsoft-store-for-business) | modified |
+| 7/14/2023 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
-| 5/25/2023 | [Apps in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/apps-in-microsoft-store-for-business) | modified |
+
-| 5/25/2023 | [Assign apps to employees (Windows 10)](/microsoft-store/assign-apps-to-employees) | modified |
+
-| 5/25/2023 | [Configure an MDM provider (Windows 10)](/microsoft-store/configure-mdm-provider-microsoft-store-for-business) | modified |
+## Week of June 26, 2023
-| 5/25/2023 | [Distribute apps using your private store (Windows 10)](/microsoft-store/distribute-apps-from-your-private-store) | modified |
+
-| 5/25/2023 | [Distribute apps to your employees from the Microsoft Store for Business and Education (Windows 10)](/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) | modified |
+
-| 5/25/2023 | [Distribute apps with a management tool (Windows 10)](/microsoft-store/distribute-apps-with-management-tool) | modified |
+| Published On |Topic title | Change |
-| 5/25/2023 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
+|------|------------|--------|
-| 5/25/2023 | [Find and acquire apps (Windows 10)](/microsoft-store/find-and-acquire-apps-overview) | modified |
+| 6/29/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
-| 5/25/2023 | [Microsoft Store for Business and Education (Windows 10)](/microsoft-store/index) | modified |
+| 6/29/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified |
 | 5/25/2023 | [Manage access to private store (Windows 10)](/microsoft-store/manage-access-to-private-store) | modified |
 | 5/25/2023 | [Manage products and services in Microsoft Store for Business (Windows 10)](/microsoft-store/manage-apps-microsoft-store-for-business-overview) | modified |
 | 5/25/2023 | [Manage private store settings (Windows 10)](/microsoft-store/manage-private-store-settings) | modified |
 | 5/25/2023 | [Manage settings for Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-settings-microsoft-store-for-business) | modified |
 | 5/25/2023 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
 | 5/25/2023 | [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module) | modified |
 | 5/25/2023 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
 | 5/25/2023 | [Notifications in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/notifications-microsoft-store-business) | modified |
 | 5/25/2023 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
 | 5/25/2023 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified |
 | 5/25/2023 | [Sign up and get started (Windows 10)](/microsoft-store/sign-up-microsoft-store-for-business-overview) | modified |
 | 5/25/2023 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
 | 5/25/2023 | [Update your Billing account settings](/microsoft-store/update-microsoft-store-for-business-account-settings) | modified |
--- a/store-for-business/payment-methods.md
+++ b/store-for-business/payment-methods.md
@ -29,7 +29,7 @@ You can purchase products and services from Microsoft Store for Business using y
 - Japan Commercial Bureau (JCB)
 > [!NOTE]
-> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
+> Not all cards available in all countries/regions. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
 ## Add a payment method
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@ -29,7 +29,7 @@ The **Billing account** page allows you to manage organization information, purc
 ## Organization information
-We need your business address, email contact, and tax-exemption certificates that apply to your country or locale.
+We need your business address, email contact, and tax-exemption certificates that apply to your country/region or locale.
 ### Business address and email contact
@ -46,7 +46,7 @@ We need an email address in case we need to contact you about your Microsoft Sto
 4. Make your updates, and then select **Save**. 
 ### Organization tax information
-Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
+Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries/regions can provide their VAT number or local equivalent:
 - Austria
 - Belgium
 - Bulgaria
@ -102,7 +102,7 @@ If you qualify for tax-exempt status in your market, start a service request to
 You'll need this documentation:
-|Country or locale | Documentation |
+|Country/Region or locale | Documentation |
 |------------------|----------------|
 | United States | Sales Tax Exemption Certificate |
 | Canada | Certificate of Exemption (or equivalent letter of authorization) |
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@ -4,7 +4,7 @@ description: Learn more about the ActiveSync CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -129,6 +129,7 @@ When managing over OMA DM, make sure to always use a unique GUID. Provisioning w
 |:--|:--|
 | Format | `node` |
 | Access Type | Add, Delete, Get, Replace |
 | Atomic Required | True |
 | Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
 | Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
 <!-- User-Accounts-{Account GUID}-DFProperties-End -->
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -100,6 +100,7 @@ The following XML file contains the device description framework (DDF) for the A
          <MSFT:AllowedValues ValueType="RegEx">
            <MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
          </MSFT:AllowedValues>
          <MSFT:AtomicRequired />
        </DFProperties>
        <Node>
          <NodeName>EmailAddress</NodeName>
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -30,6 +30,7 @@ The following list shows the Defender configuration service provider nodes:
    - [AllowDatagramProcessingOnWinServer](#configurationallowdatagramprocessingonwinserver)
    - [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel)
    - [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver)
    - [AllowSwitchToAsyncInspection](#configurationallowswitchtoasyncinspection)
    - [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
    - [DataDuplicationDirectory](#configurationdataduplicationdirectory)
    - [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
@ -44,6 +45,7 @@ The following list shows the Defender configuration service provider nodes:
          - [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
    - [DeviceControlEnabled](#configurationdevicecontrolenabled)
    - [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
    - [DisableDatagramProcessing](#configurationdisabledatagramprocessing)
    - [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
    - [DisableDnsParsing](#configurationdisablednsparsing)
    - [DisableFtpParsing](#configurationdisableftpparsing)
@ -298,6 +300,55 @@ This settings controls whether Network Protection is allowed to be configured in
 <!-- Device-Configuration-AllowNetworkProtectionOnWinServer-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Begin -->
 ### Configuration/AllowSwitchToAsyncInspection
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Defender/Configuration/AllowSwitchToAsyncInspection
 ```
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-OmaUri-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Description-Begin -->
 <!-- Description-Source-DDF -->
 Control whether network protection can improve performance by switching from real-time inspection to asynchronous inspection.
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Description-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Editable-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-DFProperties-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 1 | Allow switching to asynchronous inspection. |
 | 0 (Default) | Don’t allow asynchronous inspection. |
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-AllowedValues-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Examples-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-End -->
 <!-- Device-Configuration-ASROnlyPerRuleExclusions-Begin -->
 ### Configuration/ASROnlyPerRuleExclusions
@ -871,6 +922,55 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
 <!-- Device-Configuration-DisableCpuThrottleOnIdleScans-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-Begin -->
 ### Configuration/DisableDatagramProcessing
 <!-- Device-Configuration-DisableDatagramProcessing-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
 <!-- Device-Configuration-DisableDatagramProcessing-Applicability-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Defender/Configuration/DisableDatagramProcessing
 ```
 <!-- Device-Configuration-DisableDatagramProcessing-OmaUri-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-Description-Begin -->
 <!-- Description-Source-DDF -->
 Control whether network protection inspects User Datagram Protocol (UDP) traffic.
 <!-- Device-Configuration-DisableDatagramProcessing-Description-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-Configuration-DisableDatagramProcessing-Editable-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- Device-Configuration-DisableDatagramProcessing-DFProperties-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 1 | UDP inspection is off. |
 | 0 (Default) | UDP inspection is on. |
 <!-- Device-Configuration-DisableDatagramProcessing-AllowedValues-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-Configuration-DisableDatagramProcessing-Examples-End -->
 <!-- Device-Configuration-DisableDatagramProcessing-End -->
 <!-- Device-Configuration-DisableDnsOverTcpParsing-Begin -->
 ### Configuration/DisableDnsOverTcpParsing
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1803,6 +1803,45 @@ The following XML file contains the device description framework (DDF) for the D
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>DisableDatagramProcessing</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <DefaultValue>0</DefaultValue>
          <Description>Control whether network protection inspects User Datagram Protocol (UDP) traffic</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:Applicability>
            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
            <MSFT:CspVersion>1.3</MSFT:CspVersion>
          </MSFT:Applicability>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>UDP inspection is off</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>UDP inspection is on</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>DisableNetworkProtectionPerfTelemetry</NodeName>
        <DFProperties>
@ -2355,6 +2394,45 @@ The following XML file contains the device description framework (DDF) for the D
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>AllowSwitchToAsyncInspection</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <DefaultValue>0</DefaultValue>
          <Description>Control whether network protection can improve performance by switching from real-time inspection to asynchronous inspection</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:Applicability>
            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
            <MSFT:CspVersion>1.3</MSFT:CspVersion>
          </MSFT:Applicability>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>Allow switching to asynchronous inspection</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>Don’t allow asynchronous inspection</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>RandomizeScheduleTaskTimes</NodeName>
        <DFProperties>
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
 This CSP was added in Windows 10, version 1703.
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -105,7 +105,7 @@ This setting allows an administrator to revert specific Windows Shell behavior t
 - If you enable this setting, users can't configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users can't restore the new features.
-Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users' ability to change these options.
+Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options.
 - If you disable or not configure this policy, the default File Explorer behavior is applied to the user.
@ -3965,7 +3965,9 @@ To remove network computers from lists of network resources, use the "No Entire
 <!-- PlacesBar-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If you enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar.
+Configures the list of items displayed in the Places Bar in the Windows File/Open dialog.
 - If you enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar.
 The valid items you may display in the Places Bar are:
@ -3983,7 +3985,7 @@ The list of Common Shell Folders that may be specified:
 Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches.
-If you disable or don't configure this setting the default list of items will be displayed in the Places Bar.
+- If you disable or don't configure this setting the default list of items will be displayed in the Places Bar.
 > [!NOTE]
 > In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting doesn't apply to the new Windows Vista common dialog box style.
--- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@ -227,6 +227,8 @@ Denies or allows access to the Store application.
 <!-- RemoveWindowsStore_1-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
 <!-- RemoveWindowsStore_1-Editable-End -->
 <!-- RemoveWindowsStore_1-DFProperties-Begin -->
@ -286,6 +288,8 @@ Denies or allows access to the Store application.
 <!-- RemoveWindowsStore_2-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
 <!-- RemoveWindowsStore_2-Editable-End -->
 <!-- RemoveWindowsStore_2-DFProperties-Begin -->
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@ -44,7 +44,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md).
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates. 
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@ -42,7 +42,7 @@ Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user,
 <!-- ConfigureSystemGuardLaunch-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
+For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows).
 <!-- ConfigureSystemGuardLaunch-Editable-End -->
 <!-- ConfigureSystemGuardLaunch-DFProperties-Begin -->
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -528,8 +528,8 @@ This policy setting allows you to control whether screen recording functionality
 | Value | Description |
 |:--|:--|
-| 0 | Disabled |
+| 0 | Disabled. |
-| 1 (Default) | Enabled |
+| 1 (Default) | Enabled. |
 <!-- AllowScreenRecorder-AllowedValues-End -->
 <!-- AllowScreenRecorder-GpMapping-Begin -->
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@ -4,7 +4,7 @@ description: Learn more about the Notifications Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -61,8 +61,8 @@ This policy allows you to prevent Windows from displaying notifications to Micro
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Disabled |
+| 0 (Default) | Disabled. |
-| 1 | Enabled |
+| 1 | Enabled. |
 <!-- DisableAccountNotifications-AllowedValues-End -->
 <!-- DisableAccountNotifications-GpMapping-Begin -->
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -2426,7 +2426,9 @@ Number of days before feature updates are installed on devices automatically reg
 <!-- ConfigureDeadlineForFeatureUpdates-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
+> 
 > - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
 > - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
 <!-- ConfigureDeadlineForFeatureUpdates-Editable-End -->
 <!-- ConfigureDeadlineForFeatureUpdates-DFProperties-Begin -->
@ -2483,7 +2485,9 @@ Number of days before quality updates are installed on devices automatically reg
 <!-- ConfigureDeadlineForQualityUpdates-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
+> 
 > - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
 > - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
 <!-- ConfigureDeadlineForQualityUpdates-Editable-End -->
 <!-- ConfigureDeadlineForQualityUpdates-DFProperties-Begin -->
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@ -1,82 +1,171 @@
 ---
 title: SecureAssessment CSP
-description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser.
+description: Learn more about the SecureAssessment CSP.
-ms.reviewer:
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: reference
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
 ms.date: 06/26/2017
 ---
 <!-- Auto-Generated CSP Document -->
 <!-- SecureAssessment-Begin -->
 # SecureAssessment CSP
-The table below shows the applicability of Windows:
+<!-- SecureAssessment-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SecureAssessment-Editable-End -->
-|Edition|Windows 10|Windows 11|
+<!-- SecureAssessment-Tree-Begin -->
-|--- |--- |--- |
+The following list shows the SecureAssessment configuration service provider nodes:
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-The SecureAssessment configuration service provider is used to provide configuration information for the secure assessment browser.
+- ./Vendor/MSFT/SecureAssessment
  - [AllowScreenMonitoring](#allowscreenmonitoring)
  - [AllowTextSuggestions](#allowtextsuggestions)
  - [Assessments](#assessments)
  - [LaunchURI](#launchuri)
  - [RequirePrinting](#requireprinting)
  - [TesterAccount](#testeraccount)
 <!-- SecureAssessment-Tree-End -->
-The following example shows the SecureAssessment configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+<!-- Device-AllowScreenMonitoring-Begin -->
 ## AllowScreenMonitoring
 <!-- Device-AllowScreenMonitoring-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
 <!-- Device-AllowScreenMonitoring-Applicability-End -->
 <!-- Device-AllowScreenMonitoring-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/SecureAssessment/AllowScreenMonitoring
 ```
-./Vendor/MSFT
+<!-- Device-AllowScreenMonitoring-OmaUri-End -->
-SecureAssessment
+
----LaunchURI
+<!-- Device-AllowScreenMonitoring-Description-Begin -->
----TesterAccount
+<!-- Description-Source-DDF -->
----AllowScreenMonitoring
+Indicates if screen monitoring is allowed by the app.
----RequirePrinting
+<!-- Device-AllowScreenMonitoring-Description-End -->
----AllowTextSuggestions
+
----Assessments
+<!-- Device-AllowScreenMonitoring-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-AllowScreenMonitoring-Editable-End -->
 <!-- Device-AllowScreenMonitoring-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Get, Replace |
 | Default Value  | 0 |
 <!-- Device-AllowScreenMonitoring-DFProperties-End -->
 <!-- Device-AllowScreenMonitoring-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 1 | Screen monitoring is allowed. |
 | 0 (Default) | Screen monitoring isn't allowed. |
 <!-- Device-AllowScreenMonitoring-AllowedValues-End -->
 <!-- Device-AllowScreenMonitoring-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-AllowScreenMonitoring-Examples-End -->
 <!-- Device-AllowScreenMonitoring-End -->
 <!-- Device-AllowTextSuggestions-Begin -->
 ## AllowTextSuggestions
 <!-- Device-AllowTextSuggestions-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
 <!-- Device-AllowTextSuggestions-Applicability-End -->
 <!-- Device-AllowTextSuggestions-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/SecureAssessment/AllowTextSuggestions
 ```
-<a href="" id="--vendor-msft-secureassessment"></a>**./Vendor/MSFT/SecureAssessment**
+<!-- Device-AllowTextSuggestions-OmaUri-End -->
 The root node for the SecureAssessment configuration service provider.
-The supported operation is Get.
+<!-- Device-AllowTextSuggestions-Description-Begin -->
 <!-- Description-Source-DDF -->
 Indicates if keyboard text suggestions are allowed by the app.
 <!-- Device-AllowTextSuggestions-Description-End -->
-<a href="" id="launchuri"></a>**LaunchURI**
+<!-- Device-AllowTextSuggestions-Editable-Begin -->
-URI link to an assessment that's automatically loaded when the secure assessment browser is launched.
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-AllowTextSuggestions-Editable-End -->
-The supported operations are Add, Delete, Get, and Replace.
+<!-- Device-AllowTextSuggestions-DFProperties-Begin -->
 **Description framework properties**:
-<a href="" id="testeraccount"></a>**TesterAccount**
+| Property name | Property value |
-The user name of the test taking account.
+|:--|:--|
 | Format | `int` |
 | Access Type | Get, Replace |
 | Default Value  | 0 |
 <!-- Device-AllowTextSuggestions-DFProperties-End -->
- To specify a domain account, use domain\\user.
+<!-- Device-AllowTextSuggestions-AllowedValues-Begin -->
- To specify an Azure Active Directory account, use username@tenant.com.
+**Allowed values**:
 - To specify a local account, use the username.
-The supported operations are Add, Delete, Get, and Replace.
+| Value | Description |
 |:--|:--|
 | 1 | Keyboard text suggestions are allowed. |
 | 0 (Default) | Keyboard text suggestions aren't allowed. |
 <!-- Device-AllowTextSuggestions-AllowedValues-End -->
-<a href="" id="allowscreenmonitoring"></a>**AllowScreenMonitoring**
+<!-- Device-AllowTextSuggestions-Examples-Begin -->
-Added in Windows 10, version 1703. Boolean value that indicates whether screen capture is allowed by the app.
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-AllowTextSuggestions-Examples-End -->
-Supported operations are Get and Replace.
+<!-- Device-AllowTextSuggestions-End -->
-<a href="" id="requireprinting"></a>**RequirePrinting**
+<!-- Device-Assessments-Begin -->
-Added in Windows 10, version 1703. Boolean value that indicates whether printing is allowed by the app.
+## Assessments
-Supported operations are Get and Replace.
+<!-- Device-Assessments-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621.521] and later |
 <!-- Device-Assessments-Applicability-End -->
-<a href="" id="AllowTextSuggestions"></a>**AllowTextSuggestions**
+<!-- Device-Assessments-OmaUri-Begin -->
-Added in Windows 10, version 1703. Boolean value that indicates whether keyboard text suggestions are allowed by the app.
+```Device
 ./Vendor/MSFT/SecureAssessment/Assessments
 ```
 <!-- Device-Assessments-OmaUri-End -->
-Supported operations are Get and Replace.
+<!-- Device-Assessments-Description-Begin -->
 <!-- Description-Source-DDF -->
 Enables support for multiple assessments and for assessment grouping. The structure is specified by an XML.
 <!-- Device-Assessments-Description-End -->
-<a href="" id="Assessments"></a>**Assessments**
+<!-- Device-Assessments-Editable-Begin -->
-Added in Windows 11, version 22H2. Enables support for multiple assessments. When configured, users can select from a list of assessments. The node accepts an XML string that represents the list of available assessments.
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 When configured, users can select from a list of assessments. The node accepts an XML string that represents the list of available assessments.
 <!-- Device-Assessments-Editable-End -->
-Supported operations are Add, Delete, Get and Replace.
+<!-- Device-Assessments-DFProperties-Begin -->
 **Description framework properties**:
-XML schema
+| Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- Device-Assessments-DFProperties-End -->
 <!-- Device-Assessments-AllowedValues-Begin -->
 **Allowed values**:
 ```xml
 <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
@ -89,8 +178,8 @@ XML schema
              <xs:element name="Assessment" maxOccurs="unbounded" minOccurs="0">
                <xs:complexType>
                  <xs:sequence>
-                    <xs:element type="xs:string" name="TestName"/>
+                    <xs:element type="xs:string" name="TestName" />
-                    <xs:element type="xs:string" name="TestUri"/>
+                    <xs:element type="xs:string" name="TestUri" />
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
@ -102,8 +191,12 @@ XML schema
  </xs:element>
 </xs:schema>
 ```
 <!-- Device-Assessments-AllowedValues-End -->
 <!-- Device-Assessments-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 Example:
 ```xml
 <?xml version="1.0" encoding="utf-16"?>
 <AssessmentsRoot xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@ -124,12 +217,144 @@ Example:
    </Assessments>
 </AssessmentsRoot>
 ```
 <!-- Device-Assessments-Examples-End -->
-## Related topics
+<!-- Device-Assessments-End -->
-[Set up Take a Test](/education/windows/take-a-test-multiple-pcs)
+<!-- Device-LaunchURI-Begin -->
 ## LaunchURI
-[Configuration service provider reference](index.yml)
+<!-- Device-LaunchURI-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
 <!-- Device-LaunchURI-Applicability-End -->
 <!-- Device-LaunchURI-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/SecureAssessment/LaunchURI
 ```
 <!-- Device-LaunchURI-OmaUri-End -->
 <!-- Device-LaunchURI-Description-Begin -->
 <!-- Description-Source-DDF -->
 Link to an assessment that's automatically loaded when the Secure Assessment Browser is launched.
 <!-- Device-LaunchURI-Description-End -->
 <!-- Device-LaunchURI-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-LaunchURI-Editable-End -->
 <!-- Device-LaunchURI-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Regular Expression: `System.Xml.XmlElement` |
 <!-- Device-LaunchURI-DFProperties-End -->
 <!-- Device-LaunchURI-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-LaunchURI-Examples-End -->
 <!-- Device-LaunchURI-End -->
 <!-- Device-RequirePrinting-Begin -->
 ## RequirePrinting
 <!-- Device-RequirePrinting-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
 <!-- Device-RequirePrinting-Applicability-End -->
 <!-- Device-RequirePrinting-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/SecureAssessment/RequirePrinting
 ```
 <!-- Device-RequirePrinting-OmaUri-End -->
 <!-- Device-RequirePrinting-Description-Begin -->
 <!-- Description-Source-DDF -->
 Indicates if printing is required by the app.
 <!-- Device-RequirePrinting-Description-End -->
 <!-- Device-RequirePrinting-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-RequirePrinting-Editable-End -->
 <!-- Device-RequirePrinting-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Get, Replace |
 | Default Value  | 1 |
 <!-- Device-RequirePrinting-DFProperties-End -->
 <!-- Device-RequirePrinting-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 1 (Default) | Printing is allowed. |
 | 0 | Printing isn't allowed. |
 <!-- Device-RequirePrinting-AllowedValues-End -->
 <!-- Device-RequirePrinting-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-RequirePrinting-Examples-End -->
 <!-- Device-RequirePrinting-End -->
 <!-- Device-TesterAccount-Begin -->
 ## TesterAccount
 <!-- Device-TesterAccount-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
 <!-- Device-TesterAccount-Applicability-End -->
 <!-- Device-TesterAccount-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/SecureAssessment/TesterAccount
 ```
 <!-- Device-TesterAccount-OmaUri-End -->
 <!-- Device-TesterAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
 The user name of the test taking account. To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username.
 <!-- Device-TesterAccount-Description-End -->
 <!-- Device-TesterAccount-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-TesterAccount-Editable-End -->
 <!-- Device-TesterAccount-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- Device-TesterAccount-DFProperties-End -->
 <!-- Device-TesterAccount-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-TesterAccount-Examples-End -->
 <!-- Device-TesterAccount-End -->
 <!-- SecureAssessment-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- SecureAssessment-CspMoreInfo-End -->
 <!-- SecureAssessment-End -->
 ## Related articles
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@ -1,188 +1,278 @@
 ---
 title: SecureAssessment DDF file
-description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML
+description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider.
-ms.reviewer:
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: reference
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
 ms.date: 12/05/2017
 ---
 <!-- Auto-Generated CSP Document -->
 # SecureAssessment DDF file
-This topic shows the OMA DM device description framework (DDF) for the **SecureAssessment** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+The following XML file contains the device description framework (DDF) for the SecureAssessment configuration service provider.
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
 The XML below is the current version for this CSP.
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
  <VerDTD>1.2</VerDTD>
-      <Node>
+  <MSFT:Diagnostics>
-        <NodeName>SecureAssessment</NodeName>
+  </MSFT:Diagnostics>
-        <Path>./Vendor/MSFT</Path>
+  <Node>
-        <DFProperties>
+    <NodeName>SecureAssessment</NodeName>
-          <AccessType>
+    <Path>./Vendor/MSFT</Path>
-            <Get />
+    <DFProperties>
-          </AccessType>
+      <AccessType>
-          <Description>Settings related to the configuration of the Secure Assessment Browser.</Description>
+        <Get />
-          <DFFormat>
+      </AccessType>
-            <node />
+      <Description>Settings related to the configuration of the Secure Assessment Browser.</Description>
-          </DFFormat>
+      <DFFormat>
-          <Occurrence>
+        <node />
-            <One />
+      </DFFormat>
-          </Occurrence>
+      <Occurrence>
-          <Scope>
+        <One />
-            <Permanent />
+      </Occurrence>
-          </Scope>
+      <Scope>
-          <DFType>
+        <Permanent />
-            <MIME>com.microsoft/1.1/MDM/SecureAssessment</MIME>
+      </Scope>
-          </DFType>
+      <DFType>
-        </DFProperties>
+        <MIME />
-        <Node>
+      </DFType>
-          <NodeName>LaunchURI</NodeName>
+      <MSFT:Applicability>
-          <DFProperties>
+        <MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
-            <AccessType>
+        <MSFT:CspVersion>1.0</MSFT:CspVersion>
-              <Add />
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
-              <Delete />
+      </MSFT:Applicability>
-              <Get />
+    </DFProperties>
-              <Replace />
+    <Node>
-            </AccessType>
+      <NodeName>LaunchURI</NodeName>
-            <Description>Link to an assessment that's automatically loaded when the Secure Assessment Browser is launched.</Description>
+      <DFProperties>
-            <DFFormat>
+        <AccessType>
-              <chr />
+          <Add />
-            </DFFormat>
+          <Delete />
-            <Occurrence>
+          <Get />
-              <ZeroOrOne />
+          <Replace />
-            </Occurrence>
+        </AccessType>
-            <Scope>
+        <Description>Link to an assessment that's automatically loaded when the Secure Assessment Browser is launched.</Description>
-              <Dynamic />
+        <DFFormat>
-            </Scope>
+          <chr />
-            <CaseSense>
+        </DFFormat>
-              <CIS />
+        <Occurrence>
-            </CaseSense>
+          <ZeroOrOne />
-            <DFType>
+        </Occurrence>
-              <MIME>text/plain</MIME>
+        <Scope>
-            </DFType>
+          <Dynamic />
-          </DFProperties>
+        </Scope>
-        </Node>
+        <DFType>
-        <Node>
+          <MIME />
-          <NodeName>TesterAccount</NodeName>
+        </DFType>
-          <DFProperties>
+        <CaseSense>
-            <AccessType>
+          <CIS />
-              <Get />
+        </CaseSense>
-              <Add />
+        <MSFT:AllowedValues ValueType="RegEx">
-              <Delete />
+          <MSFT:Value><![CDATA[/^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/]]></MSFT:Value>
-              <Replace />
+        </MSFT:AllowedValues>
-            </AccessType>
+      </DFProperties>
-            <Description>The user name of the test taking account.  To specify a domain account, use domain\user. To specify an Azure Active Directory account, use username@tenant.com. To specify a local account, use the username.</Description>
+    </Node>
-            <DFFormat>
+    <Node>
-              <chr />
+      <NodeName>TesterAccount</NodeName>
-            </DFFormat>
+      <DFProperties>
-            <Occurrence>
+        <AccessType>
-              <ZeroOrOne />
+          <Add />
-            </Occurrence>
+          <Delete />
-            <Scope>
+          <Get />
-              <Dynamic />
+          <Replace />
-            </Scope>
+        </AccessType>
-            <CaseSense>
+        <Description>The user name of the test taking account.  To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username.</Description>
-              <CIS />
+        <DFFormat>
-            </CaseSense>
+          <chr />
-            <DFType>
+        </DFFormat>
-              <MIME>text/plain</MIME>
+        <Occurrence>
-            </DFType>
+          <ZeroOrOne />
-          </DFProperties>
+        </Occurrence>
-        </Node>
+        <Scope>
-        <Node>
+          <Dynamic />
-          <NodeName>AllowScreenMonitoring</NodeName>
+        </Scope>
-          <DFProperties>
+        <DFType>
-            <AccessType>
+          <MIME />
-              <Get />
+        </DFType>
-              <Replace />
+        <CaseSense>
-            </AccessType>
+          <CIS />
-            <DefaultValue>false</DefaultValue>
+        </CaseSense>
-            <Description>Indicates if screen monitoring is allowed by the app.</Description>
+        <MSFT:AllowedValues ValueType="None">
-            <DFFormat>
+        </MSFT:AllowedValues>
-              <bool />
+      </DFProperties>
-            </DFFormat>
+    </Node>
-            <Occurrence>
+    <Node>
-              <One />
+      <NodeName>AllowScreenMonitoring</NodeName>
-            </Occurrence>
+      <DFProperties>
-            <Scope>
+        <AccessType>
-              <Permanent />
+          <Get />
-            </Scope>
+          <Replace />
-            <CaseSense>
+        </AccessType>
-              <CIS />
+        <DefaultValue>0</DefaultValue>
-            </CaseSense>
+        <Description>Indicates if screen monitoring is allowed by the app.</Description>
-            <DFType>
+        <DFFormat>
-              <MIME>text/plain</MIME>
+          <int />
-            </DFType>
+        </DFFormat>
-          </DFProperties>
+        <Occurrence>
-        </Node>
+          <One />
-        <Node>
+        </Occurrence>
-          <NodeName>RequirePrinting</NodeName>
+        <Scope>
-          <DFProperties>
+          <Permanent />
-            <AccessType>
+        </Scope>
-              <Get />
+        <DFType>
-              <Replace />
+          <MIME />
-            </AccessType>
+        </DFType>
-            <DefaultValue>false</DefaultValue>
+        <CaseSense>
-            <Description>Indicates if printing is required by the app.</Description>
+          <CIS />
-            <DFFormat>
+        </CaseSense>
-              <bool />
+        <MSFT:AllowedValues ValueType="ENUM">
-            </DFFormat>
+          <MSFT:Enum>
-            <Occurrence>
+            <MSFT:Value>1</MSFT:Value>
-              <One />
+            <MSFT:ValueDescription>Screen monitoring is allowed</MSFT:ValueDescription>
-            </Occurrence>
+          </MSFT:Enum>
-            <Scope>
+          <MSFT:Enum>
-              <Permanent />
+            <MSFT:Value>0</MSFT:Value>
-            </Scope>
+            <MSFT:ValueDescription>Screen monitoring is not allowed</MSFT:ValueDescription>
-            <CaseSense>
+          </MSFT:Enum>
-              <CIS />
+        </MSFT:AllowedValues>
-            </CaseSense>
+      </DFProperties>
-            <DFType>
+    </Node>
-              <MIME>text/plain</MIME>
+    <Node>
-            </DFType>
+      <NodeName>RequirePrinting</NodeName>
-          </DFProperties>
+      <DFProperties>
-        </Node>
+        <AccessType>
-        <Node>
+          <Get />
-          <NodeName>AllowTextSuggestions</NodeName>
+          <Replace />
-          <DFProperties>
+        </AccessType>
-            <AccessType>
+        <DefaultValue>1</DefaultValue>
-              <Get />
+        <Description>Indicates if printing is required by the app.</Description>
-              <Replace />
+        <DFFormat>
-            </AccessType>
+          <int />
-            <DefaultValue>false</DefaultValue>
+        </DFFormat>
-            <Description>Indicates if keyboard text suggestions are allowed by the app.</Description>
+        <Occurrence>
-            <DFFormat>
+          <One />
-              <bool />
+        </Occurrence>
-            </DFFormat>
+        <Scope>
-            <Occurrence>
+          <Permanent />
-              <One />
+        </Scope>
-            </Occurrence>
+        <DFType>
-            <Scope>
+          <MIME />
-              <Permanent />
+        </DFType>
-            </Scope>
+        <CaseSense>
-            <CaseSense>
+          <CIS />
-              <CIS />
+        </CaseSense>
-            </CaseSense>
+        <MSFT:AllowedValues ValueType="ENUM">
-            <DFType>
+          <MSFT:Enum>
-              <MIME>text/plain</MIME>
+            <MSFT:Value>1</MSFT:Value>
-            </DFType>
+            <MSFT:ValueDescription>Printing is allowed</MSFT:ValueDescription>
-          </DFProperties>
+          </MSFT:Enum>
-        </Node>
+          <MSFT:Enum>
-      </Node>
+            <MSFT:Value>0</MSFT:Value>
            <MSFT:ValueDescription>Printing is not allowed</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>AllowTextSuggestions</NodeName>
      <DFProperties>
        <AccessType>
          <Get />
          <Replace />
        </AccessType>
        <DefaultValue>0</DefaultValue>
        <Description>Indicates if keyboard text suggestions are allowed by the app.</Description>
        <DFFormat>
          <int />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Permanent />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <CaseSense>
          <CIS />
        </CaseSense>
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>1</MSFT:Value>
            <MSFT:ValueDescription>Keyboard text suggestions are allowed</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>0</MSFT:Value>
            <MSFT:ValueDescription>Keyboard text suggestions are not allowed</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>Assessments</NodeName>
      <DFProperties>
        <AccessType>
          <Add />
          <Delete />
          <Get />
          <Replace />
        </AccessType>
        <Description>Enables support for multiple assessments and for assessment grouping. The structure is specified by an XML.</Description>
        <DFFormat>
          <chr />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>10.0.22621.521</MSFT:OsBuildVersion>
        </MSFT:Applicability>
        <MSFT:AllowedValues ValueType="XSD">
          <MSFT:Value><![CDATA[
 <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:element name="AssessmentsRoot">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="Assessments">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="Assessment" maxOccurs="unbounded" minOccurs="0">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element type="xs:string" name="TestName"/>
                    <xs:element type="xs:string" name="TestUri"/>
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
 </xs:schema>]]></MSFT:Value>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
  </Node>
 </MgmtTree>
 ```
-## Related topics
+## Related articles
-[SecureAssessment CSP](secureassessment-csp.md)
+[SecureAssessment configuration service provider reference](secureassessment-csp.md)
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@ -1879,7 +1879,7 @@ The name of the domain admin group to add to the administrators group on the dev
 <!-- Device-Management-GroupSid-Description-Begin -->
 <!-- Description-Source-DDF -->
-The side of the domain admin group to add to the administrators group on the device.
+The SID of the domain admin group to add to the administrators group on the device.
 <!-- Device-Management-GroupSid-Description-End -->
 <!-- Device-Management-GroupSid-Editable-Begin -->
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1090,7 +1090,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
 <!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Description-Begin -->
 <!-- Description-Source-DDF -->
-Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
 <!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Description-End -->
 <!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Editable-Begin -->
@ -1222,7 +1222,7 @@ First, it automatically becomes an always on profile.
 Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
-Third, no other Device Tunnel profile may be present on the same machine.
+Third, no other Device Tunnel profile maybe be present on the same machine.
 A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
 <!-- Device-{ProfileName}-DeviceTunnel-Description-End -->
@ -1587,7 +1587,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
 <!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-Begin -->
 <!-- Description-Source-DDF -->
-Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
+Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
 <!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-End -->
 <!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Editable-Begin -->
@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
 <!-- Device-{ProfileName}-EdpModeId-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
 <!-- Device-{ProfileName}-EdpModeId-Description-End -->
 <!-- Device-{ProfileName}-EdpModeId-Editable-Begin -->
@ -3119,7 +3119,7 @@ Type of routing policy.
 <!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin -->
 <!-- Description-Source-DDF -->
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
 <!-- Device-{ProfileName}-NativeProfile-Servers-Description-End -->
 <!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
@ -5387,7 +5387,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
 <!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Description-Begin -->
 <!-- Description-Source-DDF -->
-Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
 <!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Description-End -->
 <!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Editable-Begin -->
@ -5827,7 +5827,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
 <!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-Begin -->
 <!-- Description-Source-DDF -->
-Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
+Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
 <!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-End -->
 <!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Editable-Begin -->
@ -6032,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
 <!-- User-{ProfileName}-EdpModeId-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
 <!-- User-{ProfileName}-EdpModeId-Description-End -->
 <!-- User-{ProfileName}-EdpModeId-Editable-Begin -->
@ -7359,7 +7359,7 @@ Type of routing policy.
 <!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin -->
 <!-- Description-Source-DDF -->
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
 <!-- User-{ProfileName}-NativeProfile-Servers-Description-End -->
 <!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@ -4,7 +4,7 @@ description: Learn more about the WiFi CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -126,7 +126,6 @@ SSID is the name of network you're connecting to, while Profile name is the name
 |:--|:--|
 | Format | `node` |
 | Access Type | Add, Delete, Get, Replace |
 | Atomic Required | True |
 | Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
 <!-- Device-Profile-{SSID}-DFProperties-End -->
@ -485,7 +484,6 @@ SSID is the name of network you're connecting to, while Profile name is the name
 |:--|:--|
 | Format | `node` |
 | Access Type | Add, Delete, Get, Replace |
 | Atomic Required | True |
 | Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
 <!-- User-Profile-{SSID}-DFProperties-End -->
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 07/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -96,7 +96,6 @@ The following XML file contains the device description framework (DDF) for the W
          <MSFT:DynamicNodeNaming>
            <MSFT:ServerGeneratedUniqueIdentifier />
          </MSFT:DynamicNodeNaming>
          <MSFT:AtomicRequired />
        </DFProperties>
        <Node>
          <NodeName>WlanXml</NodeName>
@ -380,7 +379,6 @@ The following XML file contains the device description framework (DDF) for the W
          <MSFT:DynamicNodeNaming>
            <MSFT:ServerGeneratedUniqueIdentifier />
          </MSFT:DynamicNodeNaming>
          <MSFT:AtomicRequired />
        </DFProperties>
        <Node>
          <NodeName>WlanXml</NodeName>
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@ -12,8 +12,9 @@ ms.collection:
 - highpri
 - tier1
 ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 07/12/2023
 ---
 <!--8107263-->
 # Set up a single-app kiosk on Windows 10/11
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@ -81,7 +81,7 @@ Use *Default* to specify a name that matches one of the search providers you ent
 #### Specific region guidance
-Some countries require specific, default search providers. The following table lists the applicable countries and information for configuring the necessary search provider.
+Some countries/regions require specific, default search providers. The following table lists the applicable countries/regions and information for configuring the necessary search provider.
 >[!NOTE]
 >For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey.
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -242,49 +242,6 @@
            href: update/wufb-reports-schema-ucserviceupdatestatus.md
          - name: UCUpdateAlert
            href: update/wufb-reports-schema-ucupdatealert.md                                                                         
      - name: Monitor updates with Update Compliance
        href: update/update-compliance-monitor.md
        items:
        - name: Get started
          items: 
          - name: Get started with Update Compliance
            href: update/update-compliance-get-started.md
          - name: Update Compliance configuration script
            href: update/update-compliance-configuration-script.md
          - name: Manually configuring devices for Update Compliance
            href: update/update-compliance-configuration-manual.md
          - name: Configuring devices for Update Compliance in Microsoft Intune
            href: update/update-compliance-configuration-mem.md
        - name: Update Compliance monitoring
          items: 
          - name: Use Update Compliance
            href: update/update-compliance-using.md
          - name: Need attention report
            href: update/update-compliance-need-attention.md
          - name: Security update status report
            href: update/update-compliance-security-update-status.md
          - name: Feature update status report
            href: update/update-compliance-feature-update-status.md
          - name: Safeguard holds report
            href: update/update-compliance-safeguard-holds.md
          - name: Delivery Optimization in Update Compliance
            href: update/update-compliance-delivery-optimization.md
          - name: Data handling and privacy in Update Compliance
            href: update/update-compliance-privacy.md
        - name: Schema reference
          items:
          - name: Update Compliance schema reference
            href: update/update-compliance-schema.md
          - name: WaaSUpdateStatus
            href: update/update-compliance-schema-waasupdatestatus.md
          - name: WaaSInsiderStatus
            href: update/update-compliance-schema-waasinsiderstatus.md
          - name: WaaSDeploymentStatus
            href: update/update-compliance-schema-waasdeploymentstatus.md
          - name: WUDOStatus
            href: update/update-compliance-schema-wudostatus.md
          - name: WUDOAggregatedStatus
            href: update/update-compliance-schema-wudoaggregatedstatus.md
    - name: Troubleshooting
      items:
      - name: Resolve upgrade errors
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@ -12,7 +12,7 @@ metadata:
    - highpri
    - tier3
  ms.topic: faq
-  ms.date: 04/17/2023
+  ms.date: 07/11/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
  **Applies to**
@ -35,7 +35,7 @@ sections:
      - question: What are the requirements if I use a proxy?
        answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
-           
+
      - question: What hostnames should I allow through my firewall to support Delivery Optimization?
        answer: | 
          **For communication between clients and the Delivery Optimization cloud service**:
@ -57,6 +57,11 @@ sections:
          For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
      - question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
        answer: | 
          Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and Microsoft's Connected Cache (MCC) servers, which are hosted within Internet Service Provider (ISP) networks. 
          The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. 
      - question: Does Delivery Optimization use multicast?
        answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
@ -100,7 +105,7 @@ sections:
      - question: How are downloads initiated by Delivery Optimization?
        answer: |
-         Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
+          Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
      - question: How does Delivery Optimization determine which content is available for peering?
        answer: |
@ -111,7 +116,7 @@ sections:
          The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
          At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: 
-            - *.prod.do.dsp.mp.microsoft.com
+            - `*.prod.do.dsp.mp.microsoft.com`
          If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
@ -119,9 +124,10 @@ sections:
        answer: |
          Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. 
          If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
-          
+          Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
          > [!NOTE]
-          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
+          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
      - question: Delivery Optimization is using device resources and I can't tell why?
        answer: |
@ -129,4 +135,4 @@ sections:
      - question: What Delivery Optimization settings are available?
        answer: |
-          There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. 
+          There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. 
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@ -8,7 +8,7 @@ ms.localizationpriority: medium
 ms.author: carmenf
 ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 06/28/2023
 ms.collection: tier3
 ---
@ -128,11 +128,8 @@ Download mode dictates which download sources clients are allowed to use when do
 | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
 | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
-| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. |
+| Bypass (100) | Starting in Windows 11, this option is deprecated. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. If you want to disable peer-to-peer functionality, set DownloadMode to (0). If your device doesn't have internet access, set Download Mode to (99). When you set Bypass (100), the download bypasses Delivery Optimization and uses BITS instead. You don't need to set this option if you're using Configuration Manager. |
 > [!NOTE]
 > Starting in Windows 11, the Bypass option of Download Mode is deprecated.
 >
 > [!NOTE]
 > When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
--- a/windows/deployment/update/images/UC_tile_assessing.PNG
+++ b/windows/deployment/update/images/UC_tile_assessing.PNG
--- a/windows/deployment/update/images/UC_tile_filled.PNG
+++ b/windows/deployment/update/images/UC_tile_filled.PNG
--- a/windows/deployment/update/images/UC_workspace_DO_status.PNG
+++ b/windows/deployment/update/images/UC_workspace_DO_status.PNG
--- a/windows/deployment/update/images/UC_workspace_FU_status.PNG
+++ b/windows/deployment/update/images/UC_workspace_FU_status.PNG
--- a/windows/deployment/update/images/UC_workspace_SU_status.PNG
+++ b/windows/deployment/update/images/UC_workspace_SU_status.PNG
--- a/windows/deployment/update/images/UC_workspace_needs_attention.png
+++ b/windows/deployment/update/images/UC_workspace_needs_attention.png
--- a/windows/deployment/update/images/UC_workspace_safeguard_queries.png
+++ b/windows/deployment/update/images/UC_workspace_safeguard_queries.png
--- a/windows/deployment/update/images/uc-workspace-overview-blade.png
+++ b/windows/deployment/update/images/uc-workspace-overview-blade.png
--- a/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png
+++ b/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png
--- a/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png
+++ b/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png
--- a/windows/deployment/update/includes/wufb-reports-recommend.md
+++ b/windows/deployment/update/includes/wufb-reports-recommend.md
@ -1,14 +0,0 @@
 ---
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
 ms.date: 12/05/2022
 ms.localizationpriority: medium
 ---
 <!--This file is shared by all Update Compliance v1 articles.  -->
 > [!Important]
 > Update Compliance was [retired](/windows/whats-new/feature-lifecycle#terminology) on March 31, 2023 and the service has been [removed](/windows/whats-new/removed-features). Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). Support for Update Compliance ended on March 31, 2023. <!--7748874-->
--- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@ -5,58 +5,45 @@ manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
-ms.date: 08/18/2022
+ms.date: 07/11/2023
 ms.localizationpriority: medium
 ---
-<!--This file is shared by updates/wufb-reports-configuration-script.md and the update/update-compliance-configuration-script.md articles. Headings are driven by article context.  -->
+<!--This file is shared by updates/wufb-reports-configuration-script.md and the update/update-compliance-configuration-script.md articles. Headings are driven by article context. Updated with 8099827 -->
-|Error  |Description  |
+| Error  | Description|
-|---------|---------|
+|---|---|
-| 1    | General unexpected error|
+| 1    | Unexpected error |
-| 6    | Invalid CommercialID|
+| 12    | CheckVortexConnectivity failed, check the log output for more information. |
 | 8    | Couldn't create registry key path to set up CommercialID|
 | 9    | Couldn't write CommercialID at registry key path|
 | 11    | Unexpected result when setting up CommercialID.|
 | 12    | CheckVortexConnectivity failed, check Log output for more information.|
 | 12    | Unexpected failure when running CheckVortexConnectivity.|
-| 16    | Reboot is pending on device, restart device and restart script.|
+| 16    | Reboot is pending on device. Restart the device then re rerun the script.|
 | 17    | Unexpected exception in CheckRebootRequired.|
 | 27    | Not system account. |
 | 30    | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
-| 34    | Unexpected exception when attempting to check  Proxy settings.|
+| 34    | Unexpected exception when attempting to check proxy settings.|
-| 35    | Unexpected exception when checking User Proxy.|
+| 35    | Unexpected exception when checking user proxy.|
-| 37    | Unexpected exception when collecting logs|
+| 37    | Unexpected exception when collecting logs.|
 | 40    | Unexpected exception when checking and setting telemetry.|
 | 41    | Unable to impersonate logged-on user.|
 | 42    | Unexpected exception when attempting to impersonate logged-on user.|
 | 43    | Unexpected exception when attempting to impersonate logged-on user.|
 | 44    | Error when running CheckDiagTrack service.|
 | 45    | DiagTrack.dll not found.|
 | 48    | CommercialID isn't a GUID|
 | 50    | DiagTrack service not running.|
-| 51    | Unexpected exception when attempting to run Census.exe|
+| 51    | Unexpected exception when attempting to run Census.exe. |
-| 52    | Couldn't find Census.exe|
+| 52    | Couldn't find Census.exe. |
 | 53    | There are conflicting CommercialID values.|
 | 54    | Microsoft Account Sign In Assistant (MSA) Service disabled.|
-| 55    | Failed to create new registry path for SetDeviceNameOptIn|
+| 55    | Failed to create new registry path for SetDeviceNameOptIn.|
-| 56    | Failed to create property for SetDeviceNameOptIn at registry path|
+| 56    | Failed to create property for SetDeviceNameOptIn at registry path.|
-| 57    | Failed to update value for SetDeviceNameOptIn|
+| 57    | Failed to update value for SetDeviceNameOptIn. |
-| 58    | Unexpected exception in SetrDeviceNameOptIn|
+| 58    | Unexpected exception in SetDeviceNameOptIn.|
 | 59    | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.|
 | 60    | Failed to delete registry key when attempting to clean up OneSettings.|
 | 61    | Unexpected exception when attempting to clean up OneSettings.|
-| 62    | AllowTelemetry registry key isn't of the correct type REG_DWORD|
+| 62    | AllowTelemetry registry key isn't the correct type of REG_DWORD.|
 | 63    | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.|
-| 64    | AllowTelemetry isn't of the correct type REG_DWORD.|
+| 64    | AllowTelemetry isn't the correct type of REG_DWORD.|
 | 66    | Failed to verify UTC connectivity and recent uploads.|  
 | 67    | Unexpected failure when verifying UTC CSP.|
-| 91    | Failed to create new registry path for EnableAllowUCProcessing|
+| 99    | Device isn't Windows 10 or Windows 11.|
-| 92    | Failed to create property for EnableAllowUCProcessing at registry path|
+| 100   | Device must be Azure AD joined or hybrid Azure AD joined to use Windows Update for Business reports.|
-| 93    | Failed to update value for EnableAllowUCProcessing|
+| 101   | Check Azure AD join failed with unexpected exception.|
-| 94    | Unexpected exception in EnableAllowUCProcessing|
+| 102   | DisableOneSettingsDownloads policy shouldn't be enabled. Please disable this policy.|
 | 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline |
 | 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path |
 | 97 | Failed to update value for EnableAllowCommercialDataPipeline |
 | 98 | Unexpected exception in EnableAllowCommercialDataPipeline |
 | 99    | Device isn't Windows 10.|
 | 100 | Device must be AADJ or hybrid AADJ to use Windows Update for Business reports or Update Compliance |
 | 101 | Check AADJ failed with unexpected exception |
--- a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
+++ b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
@ -1,43 +0,0 @@
 ---
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
 ms.date: 08/10/2022
 ms.localizationpriority: medium
 ---
 <!--This file is used by update/wufb-reports-configuration-script.md articles. It was dropped from updates/wufb-reports-help.md. Headings are driven by article context.  -->
 In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:
 1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer).
   1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
   1. Under **View diagnostic data**, select **On** for the following option:
       - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)**
       - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)**
 1. Select **Open Diagnostic Data Viewer**.
   - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer  from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
   - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed.
 1. Check for software updates on the client device.
    - Windows 11:
       1. Go to **Start**, select **Settings** > **Windows Update**.
       1. Select **Check for updates** then wait for the update check to complete.  
    - Windows 10:  
       1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**.
       1. Select **Check for updates** then wait for the update check to complete.
 1. Run the **Diagnostic Data Viewer**.
   1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
   1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**.
 1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items:
   - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for [Windows Update for Business reports](../wufb-reports-overview.md), but the value may still be listed in this field.
   - The **MSP** field value under **protocol** should be either `16` or `18`.
   - If you need to send this data to Microsoft Support, select **Export data**.  
   :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="../media/wufb-reports-diagnostic-data-viewer.png" lightbox="../media/wufb-reports-diagnostic-data-viewer.png"::: 
--- a/windows/deployment/update/media/wufb-do-overview.png
+++ b/windows/deployment/update/media/wufb-do-overview.png
--- a/windows/deployment/update/media/wufb-reports-diagnostic-data-viewer.png
+++ b/windows/deployment/update/media/wufb-reports-diagnostic-data-viewer.png
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@ -1,80 +0,0 @@
 ---
 title: Manually configuring devices for Update Compliance
 manager: aaroncz
 description: Manually configuring devices for Update Compliance
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Manually Configuring Devices for Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
 The requirements are separated into different categories:
 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
 2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints.
 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
 ## Required policies
 Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
 - **Policy** corresponds to the location and name of the policy.
 - **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
 - **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
 ### Mobile Device Management policies
 Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
 | Policy | Data type | Value | Function |
 |--------------------------|-|-|------------------------------------------------------------|
 |**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
 |**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. For more information, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). |
 |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
 |**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
 | **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
 | **System/**[AllowCommercialDataPipeline](/windows/client-management/mdm/policy-csp-system#system-allowcommercialdatapipeline) | Integer | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
 ### Group policies
 All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Policies>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.  
 | Policy | Value | Function |
 |---------------------------|-|-----------------------------------------------------------|
 |**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. |
 |**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. |
 |**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
 |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
 |**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
 | **Allow commercial data pipeline** | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
 ## Required endpoints
 To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
 <!--Using include for endpoint access requirements-->
 [!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-endpoints.md)]
 ## Required services
 Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@ -1,87 +0,0 @@
 ---
 title: Configuring Microsoft Intune devices for Update Compliance
 manager: aaroncz
 description: Configuring devices that are enrolled in Intune for Update Compliance
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Configuring Microsoft Intune devices for Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 This article is specifically targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Update Compliance, within Microsoft Intune itself. Configuring devices for Update Compliance in Microsoft Intune breaks down to the following steps:
 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
 1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
 > [!TIP]
 > If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
 ## Create a configuration profile
 Take the following steps to create a configuration profile that will set required policies for Update Compliance:
 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create a profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
 1. For **Template name**, select **Custom**, and then press **Create**.
 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
 1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
    1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
    1. Add a setting for **Commercial ID** with the following values:
        - **Name**: Commercial ID
        - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
        - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
        - **Data type**: String
        - **Value**: *Set this value to your Commercial ID*
    1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
        - **Name**: Allow Telemetry
        - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
        - **Data type**: Integer
        - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
    1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this setting isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
        - **Name**: Disable Telemetry opt-in interface
        - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
        - **Data type**: Integer
        - **Value**: 1
    1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
        - **Name**: Allow device name in Diagnostic Data
        - **Description**: Allows device name in Diagnostic Data.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
        - **Data type**: Integer
        - **Value**: 1
    1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
        - **Name**: Allow Update Compliance Processing
        - **Description**: Opts device data into Update Compliance processing. Required to see data.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
        - **Data type**: Integer
        - **Value**: 16
    1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
        - **Name**: Allow commercial data pipeline
        - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
        - **Data type**: Integer
        - **Value**: 1
 1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
 1. Review and select **Create**.
 ## Deploy the configuration script
 The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
 When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices that will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@ -1,59 +0,0 @@
 ---
 title: Update Compliance Configuration Script
 manager: aaroncz
 description: Downloading and using the Update Compliance Configuration Script
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
 ms.date: 04/01/2023
 ms.technology: itpro-updates
 ---
 # Configuring devices through the Update Compliance Configuration Script
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. 
 > [!NOTE]
 > The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly. 
 You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 ## How this script is organized
 This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. 
 - In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration.
 - In **Deployment** mode (`runMode=Deployment`), the script will run quietly. 
 ## How to use this script
 Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`):
 1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`.
 2. Set `setCommercialID=true` and set the `commercialIDValue` to your [Commercial ID](update-compliance-get-started.md#get-your-commercialid).
 3. Run the script.
 4. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`.
 5. If there are issues, gather the logs and provide them to Support.
 ## Script errors
 <!--Using include for script errors-->
 [!INCLUDE [Update Compliance script error codes](./includes/wufb-reports-script-error-codes.md)]
 ## Verify device configuration
 <!--Using include for verifying device configuration-->
 [!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)]
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@ -1,56 +0,0 @@
 ---
 title: Delivery Optimization in Update Compliance
 manager: aaroncz
 description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Delivery Optimization in Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 :::image type="content" alt-text="Screenshot of Delivery Optimization information in Update Compliance." source="images/UC_workspace_DO_status.png" lightbox="images/UC_workspace_DO_status.png":::
 The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
 ## Delivery Optimization Status
 The Delivery Optimization Status section includes three blades:
 - The **Device Configuration** blade shows a breakdown of download configuration for each device
 - The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category
 - The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers).
 ## Device Configuration blade
 Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows client updates](../do/waas-delivery-optimization-setup.md).
 ## Content Distribution (%) blade
 The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).
 The table breaks down the Bandwidth Savings % into specific content categories along with the number of devices seen downloading the given content type that used peer-to-peer distribution.
 ## Content Distribution (GB) blade
 The second of two blades showing information on content breakdown, this blade shows a ring chart summarizing the total bytes downloaded by using peer-to-peer distribution compared to HTTP distribution. 
 The table breaks down the number of bytes from each download source into specific content categories, along with the number of devices seen downloading the given content type that used peer-to-peer distribution.
 The download sources that could be included are:
 - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
 - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used)
 - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or a Configuration Manager Distribution Point for Express Updates.
 <!--Using include file, waas-delivery-optimization-monitor.md, for shared content on DO monitoring-->
 [!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)]
 For more information on Delivery Optimization, see [Set up Delivery Optimization for Windows](../do/waas-delivery-optimization-setup.md).
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@ -1,61 +0,0 @@
 ---
 title: Update Compliance - Feature Update Status report
 manager: aaroncz
 description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Feature Update Status
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 [ ![The Feature Update Status report.](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
 The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). 
 ## Overall Feature Update Status
 The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category.  
 ## Deployment Status by Servicing Channel
 To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in.
 Refer to the following list for what each state means:
 * **Installed** devices are devices that have completed installation for the given update.
 * When a device is counted as **In Progress**, it has begun the feature update installation. 
 * Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days.
 * Devices that have failed the given feature update installation are counted as **Update failed**.
 * If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
 ## Safeguard holds
 Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release. 
 ### Queries for safeguard holds
 > [!TIP]
 > For a new Update Compliance report with additional information on safeguard holds for devices managed using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview), try the [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds).
 The Feature Update Status report offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
 The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
 ![Left pane showing Need Attention, Security update status, feature update status, and Windows Defender AV status, with Need Attention selected. Right pane shows the list of queries relevant to the Need Attention status, with "Devices with a safeguard hold" and "Target build distribution of devices with a safeguard hold" queries highlighted](images/UC_workspace_safeguard_queries.png)
 Update Compliance reporting will display the safeguard hold IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard hold IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
 ### Opt out of safeguard holds
 You can [opt out of safeguard holds](safeguard-opt-out.md) protecting against known issues by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.  
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@ -1,129 +0,0 @@
 ---
 title: Get started with Update Compliance
 manager: aaroncz
 description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection:
  - highpri
  - tier2
 ms.topic: article
 ms.date: 04/01/2023
 ms.technology: itpro-updates
 ---
 # Get started with Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 This article introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
 1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
 3. [Configure devices](#enroll-devices-in-update-compliance)  to send data to Update Compliance.
 After you add the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
 ## Update Compliance prerequisites
 > [!IMPORTANT]
 > Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. 
 Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
 - **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, and [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
 - **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
 - **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
 - **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These endpoints are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
 - **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names won't appear in Update Compliance unless you individually opt-in devices by using policy. The steps are outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
 - **Azure AD device join** or **hybrid Azure AD join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
 ## Add Update Compliance to your Azure subscription
 Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. For the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution.
 > [!IMPORTANT]
 > Update Compliance is deprecated and no longer accepting any new onboarding requests. The instructions below are listed for verification and troubleshooting purposes only for existing Updates Compliance users. Update Compliance has been replaced by [Windows Update for Business reports](wufb-reports-overview.md) for monitoring compliance of updates.
 1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**.
 2. Select **Get it now**.
 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
   - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
 4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created.
 Once the solution is in place, you can use one of the following Azure roles with Update Compliance:
 - To edit and write queries, we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role.
 - To read and only view data, we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role.
 |Compatible Log Analytics regions |
 | ------------------------------- |
 |Australia Central |
 |Australia East |
 |Australia Southeast |
 |Brazil South |
 |Canada Central |
 |Central India |
 |Central US |
 |East Asia |
 |East US |
 |East US 2 |
 |Eastus2euap(canary) |
 |France Central |
 |Japan East |
 |Korea Central |
 |North Central US |
 |North Europe |
 |South Africa North |
 |South Central US |
 |Southeast Asia |
 |Switzerland North |
 |Switzerland West |
 |UK West |
 |UK south |
 |West Central US |
 |West Europe |
 |West US |
 |West US 2 |
 > [!NOTE]
 > It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription.
 ### Get your CommercialID
 A `CommercialID` is a globally unique identifier assigned to a specific Log Analytics workspace. The `CommercialID` is copied to an MDM or Group Policy and is used to identify devices in your environment. The `Commercial ID` directs your clients to the Update Compliance solution in your Log Analytics workspace. You'll need this ID when you configure clients to send data to Update Compliance.
 1. If needed, sign into the [Azure portal](https://portal.azure.com).
 1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input.
 1. Select **Log Analytics workspaces**.
 1. Select the Log Analytics workspace that you added the Update Compliance solution to.
 1. Select **Solutions** from the Log Analytics workspace, then select **WaaSUpdateInsights(&lt;Log Analytics workspace name>)** to go to the summary page for the solution. 
 1. Select **Update Compliance Settings** from the **WaaSUpdateInsights(&lt;Log Analytics workspace name>)** summary page.
 1. The **Commercial Id Key** is listed in the text box with an option to copy the ID. The **Commercial Id Key** is commonly referred to as the `CommercialID` or **Commercial ID** in Update Compliance.
   > [!Warning]
   > Regenerate a Commercial ID only if your original ID can no longer be used. Regenerating a Commercial ID requires you to deploy the new commercial ID to your computers in order to continue to collect data and can result in data loss.
 ## Enroll devices in Update Compliance
 Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
 1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
 2. If you use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Intune](update-compliance-configuration-mem.md).
 3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they're appropriately configured and troubleshoot any enrollment issues.
 After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@ -1,44 +0,0 @@
 ---
 title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
 manager: aaroncz
 description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Monitor Windows Updates with Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 ## Introduction
 Update Compliance enables organizations to:
 * Monitor security, quality, and feature updates for Windows 10 or Windows 11 Professional, Education, and Enterprise editions.
 * View a report of device and update issues related to compliance that need attention.
 * Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](../do/waas-delivery-optimization.md).
 Update Compliance is offered through the Azure portal, and is included as part of Windows 10 or Windows 11 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
 Update Compliance uses Windows client diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
 See the following articles in this guide for detailed information about configuring and using the Update Compliance solution:
 - [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance.
 - [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience.
 ## Related articles
 * [Get started with Update Compliance](update-compliance-get-started.md)
 * [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
 * [Update Compliance Schema Reference](update-compliance-schema.md)
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@ -1,52 +0,0 @@
 ---
 title: Update Compliance - Need Attention! report
 manager: aaroncz
 description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Needs attention!
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 ![Needs attention section.](images/UC_workspace_needs_attention.png)
 The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within breakdown the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but don't fit within any other main section. 
 > [!NOTE]
 > The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
 The different issues are broken down by Device Issues and Update Issues:
 ## Device Issues
 * **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated.
 * **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it's running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client.
 ## Update Issues
 * **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure.
 * **Canceled**: This issue occurs when a user cancels the update process.
 * **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version.
 * **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. This might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
 * **Progress stalled:** This issue occurs when an update is in progress, but hasn't completed over a period of 7 days.
 Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
 > [!NOTE]
 > This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows client feature update was unsuccessful. 
 ## List of Queries
 The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that didn't fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
--- a/windows/deployment/update/update-compliance-privacy.md
+++ b/windows/deployment/update/update-compliance-privacy.md
@ -1,63 +0,0 @@
 ---
 title: Privacy in Update Compliance
 manager: aaroncz
 description: an overview of the Feature Update Status report
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Privacy in Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 Update Compliance is fully committed to privacy, centering on these tenets:
 - **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details).
 - **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
 - **Security:** Your data is protected with strong security and encryption.
 - **Trust:** Update Compliance supports the Online Services Terms.
 > [!IMPORTANT]
 > Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. 
 ## Data flow for Update Compliance
 The data flow sequence is as follows:
 1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
 2. An IT Administrator creates an Azure Log Analytics workspace. They then choose the location this workspace will store data and receives a Commercial ID for that workspace. The Commercial ID is added to each device in an organization by way of Group Policy, MDM or registry key.
 3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management Service, identifying devices by Commercial ID.
 4. These snapshots are copied to transient storage, used solely for Update Compliance where they are partitioned by Commercial ID.
 5. The snapshots are then copied to the appropriate Azure Log Analytics workspace, where the Update Compliance experience pulls the information from to populate visuals.
 ## FAQ
 ### Can Update Compliance be used without a direct client connection to the Microsoft Data Management Service?
 No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
 ### Can I choose the data center location?
 Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
 ## Related topics
 See related topics for additional background information on privacy and treatment of diagnostic data:
 - [Windows 10 and the GDPR for IT Decision Makers](/windows/privacy/gdpr-it-guidance)
 - [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
 - [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview)
 - [Licensing Terms and Documentation](https://www.microsoft.com/licensing/docs/)
 - [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
 - [Trust Center](https://www.microsoft.com/trustcenter)
--- a/windows/deployment/update/update-compliance-safeguard-holds.md
+++ b/windows/deployment/update/update-compliance-safeguard-holds.md
@ -1,61 +0,0 @@
 ---
 title: Update Compliance - Safeguard Holds report
 manager: aaroncz
 description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Safeguard Holds
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 The Safeguard Holds report provides information about devices in your population that are affected by a [safeguard hold](/windows/deployment/update/safeguard-holds). 
 Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
 As part of the Safeguard Holds report, Update Compliance provides aggregated and device-specific views into the safeguard holds that apply to devices in your population. These views will show data for all devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included. If your devices are not sending the required diagnostic data, they will be excluded from these views.
 The safeguard hold report can be found in a different location from the other Update Compliance reports. To access the safeguard hold report, follow the instructions below.
 1. Navigate to your Log Analytics workspace to which Update Compliance is deployed.
 2. In the left-hand menu, select **Solutions**.
 3. Select the solution named **WaaSUpdateInsights(\<your workspace name\>)**. (This summary page is also where the Update Compliance tile is located.)
 4. In the left-hand menu, select **Workbooks**.
 5. Under the subsection **WaaSUpdateInsights**, select the workbook named **Safeguard Holds**.
 This report shows information for devices that are managed using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview). To view information about safeguard holds for other devices, you can use the workbook named **WaaSUpdateInsights** or the [queries for safeguard holds](/windows/deployment/update/update-compliance-feature-update-status) in the Feature Update Status report.
 ## Safeguard hold view
 ![The safeguard hold view of the Safeguard Hold report.](images/uc-workspace-safeguard-holds-safeguard-hold-view.png)
 The safeguard hold view shows which safeguard holds apply to devices in your population, and how many devices are affected by each safeguard hold. You can use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the chart and corresponding table to show only the selected safeguard hold IDs. Note that a device can be affected by more than one safeguard hold. 
 ## Device view
 ![The device view of the Safeguard Hold report.](images/uc-workspace-safeguard-holds-device-view.png)
 The device view shows which devices are affected by safeguard holds. In the **Safeguard Hold IDs** column of the table, you can find a list of the safeguard holds that apply to each device. You can also use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the table to show only devices affected by the selected safeguard hold IDs.
 ## Getting additional information about a safeguard hold
 For safeguard holds protecting devices against publicly discussed known issues, you can find their 8-digit identifier on the [Windows release health](/windows/release-health/) page under **Known issues** corresponding to the relevant release.
 Devices managed by the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) that are affected by a safeguard hold for a likely issue are listed in the report with the safeguard hold ID value **00000001**.
 ## Opt out of safeguard holds
 To opt out of safeguard holds protecting against known issues, see [Opt out of safeguard holds](/windows/deployment/update/safeguard-opt-out).
 To opt out of safeguard holds protecting against likely issues (applicable to devices managed by the deployment service), see [Manage safeguards for a feature update deployment using the Windows Update for Business deployment service](/graph/windowsupdates-manage-safeguards).
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@ -1,46 +0,0 @@
 ---
 title: Update Compliance Schema - WaaSDeploymentStatus
 manager: aaroncz
 description: WaaSDeploymentStatus schema
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # WaaSDeploymentStatus
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, and one tracking a Windows Quality Update, at the same time.
 |Field |Type |Example |Description |
 |-|-|-----|------------------------|
 |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enroll devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). |
 |**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
 |**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
 |**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. |
 |**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. |
 |**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:<br><li> **Update completed**: Device has completed the update installation.<li> **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.<li> **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.<li> **Canceled**: The update was canceled.<li> **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.<li> **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.<li> **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. <li> **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.<li> **Progress stalled**: The update is in progress, but has not completed over a period of 7 days.|
 |**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:<br><li> **Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds<li> **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.<li> **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.<li> **Update offered**: The device has been offered the update, but hasn't begun downloading it.<li> **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.<li> **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).<li> **Download started**: The update has begun downloading on the device.<li> **Download Succeeded**: The update has successfully completed downloading. <li> **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.<li> **Install Started**: Installation of the update has begun.<li> **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.<li> **Reboot Pending**: The device has a scheduled reboot to apply the update.<li> **Reboot Initiated**: The scheduled reboot has been initiated.<li> **Commit**: Changes are being committed post-reboot. This is another step of the installation process.<li> **Update Completed**: The update has successfully installed.|
 |**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
 |**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
 |**OriginBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
 |**OSBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build currently installed on the device. |
 |**OSRevisionNumber** |[int](/azure/kusto/query/scalar-data-types/int) |`719` |The revision of the OSBuild installed on the device. |
 |**OSServicingBranch** |[string](/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](./waas-overview.md#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
 |**OSVersion** |[string](/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
 |**PauseState** |[string](/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.<br><li> **Expired**: The pause period has expired.<li> **NotConfigured**: Pause isn't configured.<li> **Paused**: The device was last reported to be pausing this content type.<li> **NotPaused**: The device was last reported to not have any pause on this content type. |
 |**RecommendedAction** |[string](/azure/kusto/query/scalar-data-types/string) | |The recommended action to take in the event this device needs attention, if any. |
 |**ReleaseName** |[string](/azure/kusto/query/scalar-data-types/string) |`KB4551762` |The KB Article corresponding to the TargetOSRevision, if any. |
 |**TargetBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.720` |The target OSBuild, the update being installed or considered as part of this WaaSDeploymentStatus record. |
 |**TargetOSVersion** |[string](/azure/kusto/query/scalar-data-types/string) |`1909` |The target OSVersion. |
 |**TargetOSRevision** |[int](/azure/kusto/query/scalar-data-types/int) |`720` |The target OSRevisionNumber. |
 |**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
 |**UpdateCategory** |[string](/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. |
 |**UpdateClassification** |[string](/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. |
 |**UpdateReleasedDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
--- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
@ -1,34 +0,0 @@
 ---
 title: Update Compliance Schema - WaaSInsiderStatus
 manager: aaroncz
 description: WaaSInsiderStatus schema
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # WaaSInsiderStatus
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 WaaSInsiderStatus records contain device-centric data and acts as the device record for devices on Windows Insider Program builds in Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. Insider devices have fewer fields than [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md).
 |Field |Type |Example |Description |
 |--|--|---|--|
 |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this value appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](./update-compliance-get-started.md). |
 |**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This value is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
 |**OSArchitecture** |[string](/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. |
 |**OSName** |[string](/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This value will always be Windows 10 for Update Compliance. |
 |**OSVersion** |[string](/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This value typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This value maps to the `Major` portion of OSBuild. |
 |**OSBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](/windows/release-health/release-information). |
 |**OSRevisionNumber** |[int](/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently installed Windows 10 OSBuild on the device. |
 |**OSEdition** |[string](/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. |
 |**OSFamily** |[string](/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
 |**OSServicingBranch** |[string](/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](./waas-overview.md#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
 |**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
 |**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This value does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent; this value is more like a "heartbeat". |
--- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
@ -1,45 +0,0 @@
 ---
 title: Update Compliance Schema - WaaSUpdateStatus
 manager: aaroncz
 description: WaaSUpdateStatus schema
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # WaaSUpdateStatus
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 WaaSUpdateStatus records contain device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention.
 |Field |Type |Example |Description |
 |--|-|----|------------------------|
 |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](./update-compliance-get-started.md). |
 |**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
 |**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`Simple (99)` |The device's Delivery Optimization DownloadMode. To learn about possible values, see [Delivery Optimization Reference - Download mode](../do/waas-delivery-optimization-reference.md#download-mode) |
 |**FeatureDeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0`                        |The on-client Windows Update for Business Deferral Policy days.<br> - **<0**: A value below 0 indicates the policy is disabled. <br> - **0**: A value of 0 indicates the policy is enabled, but the deferral period is zero days.<br> - **1+**: A value of 1 and above indicates the deferral setting, in days. |
 |**FeaturePauseDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause |
 |**FeaturePauseState** |[int](/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.<br><li> **Expired**: The pause period has expired.<li> **NotConfigured**: Pause is not configured.<li> **Paused**: The device was last reported to be pausing this content type.<li> **NotPaused**: The device was last reported to not have any pause on this content type. |
 |**QualityDeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.<br><li> **<0**: A value below 0 indicates the policy is disabled. <li> **0**: A value of 0 indicates the policy is enabled, but the deferral period is zero days. <li> **1+**: A value of 1 and above indicates the deferral setting, in days. |
 |**QualityPauseDays**      |[int](/azure/kusto/query/scalar-data-types/int) |`0` |**Deprecated**. This provides the count of days left in a pause period.|
 |**QualityPauseState**     |[string](/azure/kusto/query/scalar-data-types/string)  |`NotConfigured`            |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Quality Updates.<br><li>**Expired**: The pause period has expired.<li> **NotConfigured**: Pause is not configured.<li>**Paused**: The device was last reported to be pausing this content type.<li>**NotPaused**: The device was last reported to not have any pause on this content type. |
 |**NeedAttentionStatus**   |[string](/azure/kusto/query/scalar-data-types/string)  | |Indicates any reason a device needs attention; if empty, there are no [Device Issues](./update-compliance-need-attention.md#device-issues) for this device. |
 |**OSArchitecture**        |[string](/azure/kusto/query/scalar-data-types/string)  |`amd64` |The architecture of the Operating System. |
 |**OSName**                |[string](/azure/kusto/query/scalar-data-types/string)  |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
 |**OSVersion**             |[string](/azure/kusto/query/scalar-data-types/string)  |`1909` |The version of Windows 10. This value typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
 |**OSBuild**               |[string](/azure/kusto/query/scalar-data-types/string)  |`18363.720`                |The currently installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](/windows/release-health/release-information). |
 |**OSRevisionNumber**      |[int](/azure/kusto/query/scalar-data-types/int)     |`720`                      |An integer value for the revision number of the currently installed Windows 10 OSBuild on the device. |
 |**OSCurrentStatus**       |[string](/azure/kusto/query/scalar-data-types/string)  |`Current`                  |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, and the latest Quality Update for that Feature Update. |
 |**OSEdition**             |[string](/azure/kusto/query/scalar-data-types/string)  |`Enterprise`               |The Windows 10 Edition or SKU.  |
 |**OSFamily**              |[string](/azure/kusto/query/scalar-data-types/string)  |`Windows.Desktop`          |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
 |**OSFeatureUpdateStatus** |[string](/azure/kusto/query/scalar-data-types/string)  |`Up-to-date`               |Indicates whether or not the device is on the latest available Windows 10 Feature Update. |
 |**OSQualityUpdateStatus** |[string](/azure/kusto/query/scalar-data-types/string)  |`Up-to-date`               |Indicates whether or not the device is on the latest available Windows 10 Quality Update (for its Feature Update). |
 |**OSSecurityUpdateStatus**|[string](/azure/kusto/query/scalar-data-types/string)  |`Up-to-date`               |Indicates whether or not the device is on the latest available Windows 10 Quality Update **that is classified as containing security fixes**. |
 |**OSServicingBranch**     |[string](/azure/kusto/query/scalar-data-types/string)  |`Semi-Annual`              |The Servicing Branch or [Servicing Channel](./waas-overview.md#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
 |**TimeGenerated**         |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
 |**LastScan**              |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This DateTime information does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent; this is more like a "heartbeat". |
--- a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
+++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
@ -1,34 +0,0 @@
 ---
 title: Update Compliance Schema - WUDOAggregatedStatus
 manager: aaroncz
 description: WUDOAggregatedStatus schema
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # WUDOAggregatedStatus
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days.
 These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](../do/waas-delivery-optimization-reference.md).
 |Field |Type |Example |Description |
 |-|-|-|-|
 |**DeviceCount** |[int](/azure/kusto/query/scalar-data-types/int) |`9999` |Total number of devices in this aggregated record. |
 |**BWOptPercent28Days** |[real](/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 28-day basis. |
 |**BWOptPercent7Days** |[real](/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 7-day basis. |
 |**BytesFromCDN** |[long](/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization.|
 |**BytesFromGroupPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
 |**BytesFromIntPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
 |**BytesFromPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
 |**ContentType** |[int](/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded.|
 |**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](../do/waas-delivery-optimization-reference.md#download-mode) configuration for this device. |
 |**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace.|
--- a/windows/deployment/update/update-compliance-schema-wudostatus.md
+++ b/windows/deployment/update/update-compliance-schema-wudostatus.md
@ -1,55 +0,0 @@
 ---
 title: Update Compliance Schema - WUDOStatus
 manager: aaroncz
 description: WUDOStatus schema
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # WUDOStatus
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 > [!NOTE]
 > Currently all location-based fields are not working properly. This is a known issue.
 WUDOStatus records provide information, for a single device, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), and other information to create more detailed reports and splice on certain common characteristics.
 These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](../do/waas-delivery-optimization-reference.md).
 |Field |Type |Example |Description |
 |-|-|-|-|
 |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](./update-compliance-get-started.md). |
 |**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
 |**City** |[string](/azure/kusto/query/scalar-data-types/string) | |Approximate city device was in while downloading content, based on IP Address. |
 |**Country** |[string](/azure/kusto/query/scalar-data-types/string) | |Approximate country device was in while downloading content, based on IP Address. |
 |**ISP** |[string](/azure/kusto/query/scalar-data-types/string) | |The Internet Service Provider estimation. |
 |**BWOptPercent28Days** |[real](/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 28-day basis. |
 |**BWOptPercent7Days** |[real](/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 7-day basis. |
 |**BytesFromCDN** |[long](/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization. |
 |**BytesFromGroupPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
 |**BytesFromIntPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
 |**BytesFromPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
 |**ContentDownloadMode** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](../do/waas-delivery-optimization-reference.md#download-mode) configuration for this content. |
 |**ContentType** |[int](/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. |
 |**DOStatusDescription** |[string](/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. |
 |**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](../do/waas-delivery-optimization-reference.md#download-mode) configuration for this device. |
 |**DownloadModeSrc** |[string](/azure/kusto/query/scalar-data-types/string) |`Default` |The source of the DownloadMode configuration. |
 |**GroupID** |[string](/azure/kusto/query/scalar-data-types/string) | |The DO Group ID. |
 |**NoPeersCount** |[long](/azure/kusto/query/scalar-data-types/long) | |The number of peers this device interacted with. |
 |**OSName** |[string](/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
 |**OSVersion** |[string](/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild.  |
 |**PeerEligibleTransfers** |[long](/azure/kusto/query/scalar-data-types/long) |`0` |Total number of eligible transfers by Peers. |
 |**PeeringStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`On` |The DO Peering Status |
 |**PeersCannotConnectCount**|[long](/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device was unable to connect to. |
 |**PeersSuccessCount** |[long](/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device successfully connected to. |
 |**PeersUnknownCount** |[long](/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers for which there is an unknown relation. |
 |**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
 |**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
 |**TotalTimeForDownload** |[string](/azure/kusto/query/scalar-data-types/string) |`0:00:00` |The total time it took to download the content. |
 |**TotalTransfers** |[long](/azure/kusto/query/scalar-data-types/long) |`0` |The total number of data transfers to download this content. |
--- a/windows/deployment/update/update-compliance-schema.md
+++ b/windows/deployment/update/update-compliance-schema.md
@ -1,32 +0,0 @@
 ---
 title: Update Compliance Data Schema
 manager: aaroncz
 description: an overview of Update Compliance data schema
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Update Compliance Schema
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
 The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).
 > [!NOTE]
 > Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
 |Table |Category |Description |
 |--|--|--|
 |[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
 |[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. |
 |[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. |
 |[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). |
 |[**WUDOAggregatedStatus**](update-compliance-schema-wudoaggregatedstatus.md) |Delivery Optimization record |This table aggregates all individual WUDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled to Delivery Optimization. |
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@ -1,31 +0,0 @@
 ---
 title: Update Compliance - Security Update Status report
 manager: aaroncz
 description: Learn how the Security Update Status section provides information about security updates across all devices.
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Security Update Status
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 ![The Security Update Status report.](images/UC_workspace_SU_status.png)
 The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows client version and the deployment progress toward the latest two security updates.  
 The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures.
 The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows client, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. 
 The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. 
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@ -1,92 +0,0 @@
 ---
 title: Using Update Compliance
 manager: aaroncz
 description: Learn how to use Update Compliance to monitor your device's Windows updates.
 ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
 ms.technology: itpro-updates
 ms.date: 04/01/2023
 ---
 # Use Update Compliance
 **Applies to**
 - Windows 10
 - Windows 11
 <!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
 [!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
 Update Compliance:
 - Provides detailed deployment monitoring for Windows client feature and quality updates.
 - Reports when devices need attention due to issues related to update deployment.
 - Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](../do/waas-delivery-optimization.md).
 - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
 ## The Update Compliance tile
 After Update Compliance is successfully [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, select your Update Compliance deployment in the **Solutions** section, and then select  **Summary** to see this tile:
 :::image type="content" alt-text="Update Compliance tile no data." source="images/UC_tile_assessing.png":::
 When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
 :::image type="content" alt-text="Update Compliance tile with data." source="images/UC_tile_filled.png":::
 The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed.
 ## The Update Compliance workspace
 :::image type="content" alt-text="Update Compliance workspace view." source="images/UC_workspace_needs_attention.png" lightbox="images/UC_workspace_needs_attention.png":::
 When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. 
 ### Overview blade
 ![The Overview blade.](images/uc-workspace-overview-blade.png)
 Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. Update Compliance displays distribution for all devices to help you determine if they are up to date on the following items:
 * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client.
 * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. 
 The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). 
 The following is a breakdown of the different sections available in Update Compliance:
 * [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows client updates.
 * [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows client it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. 
 * [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment.
 * [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types.
 ## Update Compliance data latency
 Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
 The data powering Update Compliance is refreshed every 24 hours. The last 28 days worth of data from all devices in your organization are refreshed. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.  
 | Data Type | Data upload rate from device | Data Latency |
 |--|--|--|
 |WaaSUpdateStatus | Once per day |4 hours |
 |WaaSInsiderStatus| Once per day |4 hours |
 |WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours |
 |WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
 |WUDOStatus|Once per day|12 hours |
 This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours.
 ## Using Log Analytics
 Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. 
 See below for a few topics related to Log Analytics: 
 * Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](/azure/log-analytics/log-analytics-log-searches).
 * To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](/azure/log-analytics/log-analytics-dashboards). 
 * [Gain an overview of Log Analytics' alerts](/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. 
 ## Related topics
 [Get started with Update Compliance](update-compliance-get-started.md)
--- a/windows/deployment/update/wufb-reports-configuration-script.md
+++ b/windows/deployment/update/wufb-reports-configuration-script.md
@ -7,7 +7,7 @@ author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
-ms.date: 02/10/2023
+ms.date: 07/11/2023
 ms.technology: itpro-updates
 ---
@ -25,23 +25,23 @@ You can download the script from the [Microsoft Download Center](https://www.mic
 ## How this script is organized
-This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. 
+This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode.
 - In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration.
 - In **Deployment** mode (`runMode=Deployment`), the script will run quietly.
 > [!Important]
 > [PsExec](/sysinternals/downloads/psexec) is used to run the script in the system context. Once the device is configured, remove PsExec.exe from the device.
 ## How to use this script
-Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`):
+Edit the `RunConfig.bat` file to configure the following variables, then run the edited .bat file:
-1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`.
+| Variable | Allowed values and description | Example |
-1. Don't modify the [Commercial ID](update-compliance-get-started.md#get-your-commercialid) values since they're used for the earlier version of Windows Update for Business reports (Update Compliance). Leave `setCommercialID=false` and the `commercialIDValue=Unknown`.
+|---|---|---|
-1. Run the script.
+| runMode | **Pilot** (default): Verbose mode with additional diagnostics with additional logging. Pilot mode is best for a testing run of the script or for troubleshooting. <br> **Deployment**: Doesn't run any additional diagnostics or add extra logging | `runMode=Pilot` |
-1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`.
+| logPath | Path where the logs will be saved. The default location of the logs is `.\UCLogs`. | `logPath=C:\temp\logs` |
-1. If there are issues, gather the logs and provide them to Microsoft Support.
+| logMode | **0**: Log to the console only </br> **1** (default): Log to file and console. </br> **2**: Log to file only. | `logMode=2` |
 | DeviceNameOptIn | **true** (default): Device name is sent to Microsoft. </br> **false**: Device name isn't sent to Microsoft. | `DeviceNameOptIn=true` |
 | ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct. </br> **System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`.  </br> **User**: The proxy is configured through IE and it might or might not require user authentication. </br> </br> For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` | 
 | source | Used by the .bat file and PowerShell script to locate dependencies. It's recommended that you don't change this value. | `source=%~dp0` |
 ## Script errors
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@ -6,7 +6,7 @@ ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
-ms.date: 04/26/2023
+ms.date: 07/11/2023
 ms.technology: itpro-updates
 ---
@ -52,9 +52,7 @@ Windows Update for Business reports uses an [Azure Log Analytics workspaces](/az
 ## <a name="bkmk_enroll"></a> Enroll into Windows Update for Business reports
-Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Completing the Windows Update for Business reports configuration removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by Update Compliance, the predecessor of Windows Update for Business reports.
+Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Use one of the following methods to enroll into Windows Update for Business reports:
 Use one of the following methods to enroll into Windows Update for Business reports:
 ##### <a name="bkmk_enroll-workbook"></a> Enroll through the Azure Workbook (recommended method)
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@ -16,10 +16,14 @@ ms.technology: itpro-fundamentals
 **Applies to:**
 - Windows 11
 - Windows 10
 - Windows 8.1
 - Windows 8
 - Windows 7
 - Windows Server 2022
 - Windows Server 2019
 - Windows Server 2016
 - Windows Server 2012 R2
 - Windows Server 2012
 - Windows Server 2008 R2
@ -81,7 +85,7 @@ The KMS uses service (SRV) resource records in DNS to store and communicate the
 By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
-Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
+Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. All currently supported versions of Windows and Windows Server provide these priority and weight parameters.
 If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@ -54,9 +54,6 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin
 ## Compare Windows 10 Pro and Enterprise editions
 > [!NOTE]
 > The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available.
 Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
 ### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
@ -64,7 +61,7 @@ Windows 10 Enterprise edition has many features that are unavailable in Windows
 |Feature|Description|
 |--- |--- |
 |Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
+|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
 |User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
@ -123,7 +120,7 @@ Now that the devices have Windows 10/11 Enterprise, you can implement Device Gua
 For more information about implementing Device Guard, see:
- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
 - [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
 ### AppLocker management
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
@ -1,7 +1,7 @@
 ---
 title: Manage driver and firmware updates
 description: This article explains how you can manage driver and firmware updates with Windows Autopatch
-ms.date: 06/27/2023 
+ms.date: 07/04/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -18,7 +18,7 @@ ms.collection:
 # Manage driver and firmware updates (public preview)
 > [!IMPORTANT]
-> **This feature will be rolled out when Intune's rollout is complete**. This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback.
+> This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback.
 You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment.
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@ -1,7 +1,7 @@
 ---
 title: What is Windows Autopatch?
 description: Details what the service is and shortcuts to articles.
-ms.date: 07/11/2022
+ms.date: 07/11/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -23,14 +23,14 @@ Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps
 Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today:
- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices.
+- **Close the security gap**: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices.
- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration.
+- **Close the productivity gap**: Windows Autopatch adopts features as they're made available. End users get the latest tools to amplify their collaboration and work.
- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value.
+- **Optimize your IT admin resources**: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value.
 - **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.  
- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started.  
+- **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started.  
- **Minimize end user disruption**: By releasing in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
+- **Minimize end user disruption**: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
-Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks.
+Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks.
 ## Update management
@ -44,11 +44,11 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
 | [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
 | [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
-For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
+For each management area, there's a set of eligibility requirements that determine if the device receives that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
 To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance.
-While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
+Windows Autopatch monitors in-progress updates. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
 ## Messages
@ -62,10 +62,10 @@ Microsoft remains committed to the security of your data and the [accessibility]
 | Area | Description |
 | ----- | ----- |
-| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li></ul> |
+| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>[Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</ul> |
-| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
+| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li><li>[Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)</li></ul> |
-| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-update-management.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
+| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
-| References | This section includes the following articles:<ul><li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../overview/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
+| References | This section includes the following articles:<ul><li>[Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)<li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li></ul> |
 ### Have feedback or would like to start a discussion?
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 06/26/2023 
+ms.date: 07/10/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
 Minor corrections such as typos, style, or formatting issues aren't listed.
 ## July 2023
 ### July service releases
 | Message center post number | Description |
 | ----- | ----- |
 | [MC628172](https://admin.microsoft.com/adminportal/home#/MessageCenter) | General Availability: New Features in Windows Autopatch |
 ## June 2023
 ### June feature releases or updates
@ -36,6 +44,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 | Message center post number | Description |
 | ----- | ----- |
 | [MC617077](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch Public Preview: Drivers and Firmware Management |
 | [MC604889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Expanding Windows Autopatch availability in August 2023 |
 | [MC602590](https://admin.microsoft.com/adminportal/home#/MessageCenter) | June 2023 Windows Autopatch baseline configuration update |
 | [MC591864](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Updated ticket categories to reduce how long it takes to resolve support requests |
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@ -84,10 +84,10 @@ The following table provides an overview of the privacy settings discussed earli
 | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
 | [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)<br /><br />**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)<br /><br />Server editions:<br />Enhanced diagnostic data | Security (Off) and block endpoints |
 | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off |
-| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | 
+| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
-| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | 
+| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
-| Activity History/Timeline – Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off | 
+| Activity History/Timeline – Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
-| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off | 
+| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
 ### 2.3 Guidance for configuration options
@ -249,7 +249,7 @@ An administrator can configure privacy-related settings, such as choosing to onl
 * [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
 * [Windows IT Pro Docs](/windows/#pivot=it-pro)
 * [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) 
+* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 * [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
 * [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
 * [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@ -188,7 +188,7 @@ The following methodology was used to derive the network endpoints:
 |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
 ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
-|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
+|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Viva Engage conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
 |Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
 |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
 |||HTTPS/HTTP|fp.msedge.net|
--- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@ -204,7 +204,7 @@ The following methodology was used to derive the network endpoints:
 |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
 ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
-|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
+|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Viva Engage conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
 |Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
 |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
 |||HTTPS/HTTP|fp.msedge.net|
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@ -200,7 +200,7 @@ The following methodology was used to derive the network endpoints:
 |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
 ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
-|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
+|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Viva Engage conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
 |Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
 |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
 |||HTTPS/HTTP|fp.msedge.net|
--- a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@ -5,7 +5,7 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.custom: asr
 ms.technology: itpro-security
@ -21,12 +21,12 @@ ms.topic: article
 - Windows 11
 - Windows Server 2016 and higher
-Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md).
+Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
 > [!NOTE]
 > Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
-WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.  
+WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
 Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
@ -44,6 +44,6 @@ WDAC has no specific hardware or software requirements.
 ## Related articles
- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
+- [Windows Defender Application Control](../../threat-protection/windows-defender-application-control/windows-defender-application-control.md)
- [Memory integrity](enable-virtualization-based-protection-of-code-integrity.md)
+- [Memory integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
 - [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)
--- a/windows/security/application-security/application-control/toc.yml
+++ b/windows/security/application-security/application-control/toc.yml
@ -8,8 +8,8 @@ items:
  - name: UAC settings and configuration
    href: user-account-control/settings-and-configuration.md
 - name: Windows Defender Application Control and virtualization-based protection of code integrity
-  href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+  href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: Windows Defender Application Control
  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
 - name: Smart App Control
-  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
+  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
@ -1,35 +1,20 @@
 ---
-title: Configure the Group Policy settings for Microsoft Defender Application Guard 
+title: Configure the Group Policy settings for Microsoft Defender Application Guard
 description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
 ms.prod: windows-client
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: vinaypamnani-msft
+ms.date: 07/11/2023
 ms.author: vinpa
 ms.date: 08/22/2022
 ms.reviewer: 
 manager: aaroncz
 ms.custom: sasr
 ms.technology: itpro-security
 ms.topic: how-to
 ---
 # Configure Microsoft Defender Application Guard policy settings
 **Applies to:**
 - Windows 10
 - Windows 11
 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
 Application Guard uses both network isolation and application-specific settings.
-[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
+[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
-For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview).
+For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](md-app-guard-overview.md).
 ## Network isolation settings
@ -75,4 +60,3 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
 These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
 [Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information).
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -2,25 +2,15 @@
 metadata:
  title: FAQ - Microsoft Defender Application Guard (Windows 10)
  description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
  ms.mktglfcycl: manage
  ms.sitesec: library
  ms.pagetype: security
  ms.localizationpriority: medium
  ms.prod: windows-client
  ms.technology: itpro-security
  author: vinaypamnani-msft
  ms.author: vinpa
  ms.reviewer:
  manager: aaroncz
  ms.custom: asr
  ms.topic: faq
-  ms.date: 12/31/2017
+  ms.date: 07/11/2023
 title: Frequently asked questions - Microsoft Defender Application Guard
 summary: |
-  
+
  This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
-  
+
  ## Frequently Asked Questions
 sections:
@ -30,34 +20,34 @@ sections:
          Can I enable Application Guard on machines equipped with 4-GB RAM?
        answer: |
          We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
-          
+
          `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
-          
+
          `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
-          
+
          `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
-       
+
      - question: |
          My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
        answer: |
         The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
-         
+
         To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
-        
+
         - Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.”
         - It must be an FQDN. A simple IP address won't work.
         - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
-        
+
      - question: |
          How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
        answer: |
          Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune.
-          
+
      - question: |
          Which Input Method Editors (IME) in 19H1 aren't supported?
        answer: |
          The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
-          
+
          - Vietnam Telex keyboard
          - Vietnam number key-based keyboard
          - Hindi phonetic keyboard
@ -70,7 +60,7 @@ sections:
          - Gujarati phonetic keyboard
          - Odia phonetic keyboard
          - Punjabi phonetic keyboard
-          
+
      - question: |
          I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
        answer: |
@ -80,19 +70,19 @@ sections:
          What is the WDAGUtilityAccount local account?
        answer: |
          WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
-          
+
          **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
-          
+
      - question: |
          How do I trust a subdomain in my site list?
        answer: |
          To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted.
-          
+
      - question: |
          Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
        answer: |
          When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
-          
+
      - question: |
          Is there a size limit to the domain lists that I need to configure?
        answer: |
@ -107,15 +97,15 @@ sections:
          Why do the Network Isolation policies in Group Policy and CSP look different?
        answer: |
          There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-          
+
          - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
-          
+
          - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
-          
+
          - For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
-          
+
          Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-          
+
      - question: |
          Why did Application Guard stop working after I turned off hyperthreading?
        answer: |
@ -130,70 +120,70 @@ sections:
          Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
        answer: |
          This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-          
+
-          - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
+          - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
-          - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+          - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
          ### First rule (DHCP Server)
          - Program path: `%SystemRoot%\System32\svchost.exe`
-          
+
          - Local Service: `Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))`
-          
+
          - Protocol UDP
-          
+
          - Port 67
-          
+
          ### Second rule (DHCP Client)
          This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
-          
+
          1. Right-click on inbound rules, and then create a new rule.
-          
+
          2. Choose **custom rule**.
-          
+
          3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
-          
+
          4. Specify the following settings:
              - Protocol Type: UDP
              - Specific ports: 67
              - Remote port: any
-          
+
          5. Specify any IP addresses.
-          
+
          6. Allow the connection.
-          
+
          7. Specify to use all profiles.
-          
+
          8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-          
+
          9. In the **Programs and services** tab, under the **Services** section, select **settings**.
-          
+
          10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-          
+
      - question: |
          How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
        answer: |
          ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-          
+
          1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
-          
+
          2. Disable IpNat.sys from ICS load as follows: <br/>
          `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
-          
+
          3. Configure ICS (SharedAccess) to be enabled as follows: <br/>
          `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
-          
+
          4. (This step is optional) Disable IPNAT as follows: <br/>
          `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
-          
+
          5. Reboot the device.
-          
+
      - question: |
          Why doesn't the container fully load when device control policies are enabled?
        answer: |
          Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
-          
+
          Policy: Allow installation of devices that match any of the following device IDs:
-          
+
          - `SCSI\DiskMsft____Virtual_Disk____`
          - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
          - `VMS_VSF`
@ -206,7 +196,7 @@ sections:
          - `root\storvsp`
          - `vms_vsmp`
          - `VMS_PP`
-          
+
          Policy: Allow installation of devices using drivers that match these device setup classes
          - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
@ -218,25 +208,25 @@ sections:
          1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
          2. Reboot the device.
-          
+
      - question: |
          What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
        answer: |
          This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
-         
+
      - question: |
          How do I open a support ticket for Microsoft Defender Application Guard?
        answer: |
         - Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
         - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
-         
+
      - question: |
          Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
        answer: |
          Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
-          
+
 additionalContent: |
  ## See also
-  
+
  [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-download.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-download.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-persistence.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-persistence.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-print.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-print.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-new-window.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-new-window.png
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
--- a/Show More
+++ b/Show More