Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into other-prods-8743531

2025-05-12 13:27:23 +00:00 · 2024-02-14 09:55:41 -08:00 · 2024-02-14 09:55:41 -08:00 · 2cb59c4b6c
commit 2cb59c4b6c
parent 74c1f6d284 6c1c3e1b7a
17 changed files with 1082 additions and 903 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -12864,6 +12864,21 @@
      "source_path": "windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md",
      "redirect_url": "/windows/deployment/upgrade/resolve-windows-upgrade-errors",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/deployment/windows-10-deployment-scenarios.md",
      "redirect_url": "/windows/deployment/windows-deployment-scenarios",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/deployment/windows-10-subscription-activation.md",
      "redirect_url": "/windows/deployment/windows-subscription-activation",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/deployment/windows-10-enterprise-e3-overview.md",
      "redirect_url": "/windows/deployment/windows-enterprise-e3-overview",
      "redirect_document_id": false
    }
  ]
 }
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -4,7 +4,7 @@
    - name: Get started
      items:
        - name: Windows client deployment scenarios
-          href: windows-10-deployment-scenarios.md
+          href: windows-deployment-scenarios.md
        - name: Quick guide to Windows as a service
          href: update/waas-quick-start.md
        - name: Windows as a service overview
@ -175,9 +175,9 @@
    - name: Activate
      items:
      - name: Windows subscription activation
-        href: windows-10-subscription-activation.md
+        href: windows-subscription-activation.md
      - name: Windows Enterprise E3 in CSP
-        href: windows-10-enterprise-e3-overview.md
+        href: windows-enterprise-e3-overview.md
      - name: Configure VDA for subscription activation
        href: vda-subscription-activation.md
      - name: Deploy Windows Enterprise licenses
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@ -1,6 +1,6 @@
 ---
 title: Deploy Windows Enterprise licenses
-description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
+description: Steps to deploy Windows Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
@ -11,17 +11,18 @@ ms.topic: how-to
 ms.collection:
  - highpri
  - tier2
 ms.date: 02/13/2024
 zone_pivot_groups: windows-versions-11-10
 appliesto:
-  - ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <b>Windows 11</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ms.date: 11/14/2023
 ---
 # Deploy Windows Enterprise licenses
-This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Microsoft Entra ID.
+This article describes how to deploy Windows Enterprise E3 or E5 licenses with [subscription activation](windows-subscription-activation.md) or [Enterprise E3 in CSP](windows-enterprise-e3-overview.md) and Microsoft Entra ID.
-These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
+These activation features require a supported and licensed version of Windows Pro:
 - Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
 - Enterprise E3 in CSP.
@ -30,9 +31,9 @@ These activation features require a supported and licensed version of Windows 10
 ## Enable subscription activation with an existing EA
-If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant:
+EA customers with an existing Microsoft 365 tenant can use the following steps to enable Windows subscription licenses on the existing tenant:
-1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license:
+1. Work with the reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on the current Windows Enterprise SA license:
    | SKU | Description |
    |---------|---------|
@ -41,13 +42,14 @@ If you're an EA customer with an existing Microsoft 365 tenant, use the followin
    | **VRM-00001** | `Win OLS Activation User GCC Sub Per User` <!-- 6783128 --> |
    > [!NOTE]
-    > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 -->
+    >
    > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. <!-- 6783128 -->
-1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant.
+1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses is provisioned on the tenant.
-1. You can now assign subscription licenses to users.
+1. Subscription licenses can now be assigned to users.
-If you need to update contact information and resend the activation email, use the following process:
+To update contact information and resend the activation email, use the following process:
 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
@ -55,257 +57,475 @@ If you need to update contact information and resend the activation email, use t
 1. Select **Online Services Agreement List**.
-1. Enter your agreement number, and then select **Search**.
+1. Enter the agreement number, and then select **Search**.
 1. Select the **Service Name**.
 1. In the **Subscription Contact** section, select the name listed under **Last Name**.
-1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email.
+1. Update the contact information, then select **Update Contact Details**. This action triggers a new email.
 ## Preparing for deployment: reviewing requirements
- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
+- Devices must be running a supported version of Windows Pro.
 - Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article.
 <a name='active-directory-synchronization-with-azure-ad'></a>
 ### Active Directory synchronization with Microsoft Entra ID
-If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.
+If there's an on-premises Active Directory Domain Services (AD DS) domain, identities in the on-premises AD DS domain need to be synchronized with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.
 **Figure 1** illustrates the integration between the on-premises AD DS domain with Microsoft Entra ID. Microsoft Entra Connect is responsible for synchronization of identities between the on-premises AD DS domain and Microsoft Entra ID. Microsoft Entra Connect is a service that you can install on-premises or in a virtual machine in Azure.
 :::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD.":::
 Figure 1: On-premises AD DS integrated with Microsoft Entra ID
 For more information about integrating on-premises AD DS domains with Microsoft Entra ID, see the following resources:
 - [Configure Microsoft Entra hybrid join](/entra/identity/devices/how-to-hybrid-join)
 - [What is hybrid identity with Microsoft Entra ID?](/azure/active-directory/hybrid/whatis-hybrid-identity)
 - [Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
 ## Assigning licenses to users
-After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service:
+After the Windows subscription is ordered, an email is sent with guidance on how to use Windows as an online service. The following methods are available to assign licenses:
-:::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing.":::
+- When the required Microsoft Entra subscription is available, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
-The following methods are available to assign licenses:
+- Licenses can be manually assigned by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/).
-
+- Licenses can be assigned by uploading a spreadsheet.
- When you have the required Microsoft Entra subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+- Licenses can be assigned via [PowerShell](/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell).
 - You can sign in to the Microsoft 365 admin center and manually assign licenses:
    :::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user.":::
 - You can assign licenses by uploading a spreadsheet.
 - [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx).
 > [!TIP]
 > Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/).
 ## Explore the upgrade experience
-Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition.
+Now that a subscription is established and licenses are assigned to users, devices running supported versions of Windows Pro can be upgraded to Enterprise edition.
-> [!NOTE]
+> [!TIP]
-> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.
+>
-
+> This upgrade experience walkthrough assumes Autopilot isn't being used. For the Autopilot experience when joining Microsoft Entra ID, see [User-driven Microsoft Entra join: Deploy the device](/autopilot/tutorial/user-driven/azure-ad-join-deploy-device).
 <a name='step-1-join-windows-pro-devices-to-azure-ad'></a>
 ### Step 1: Join Windows Pro devices to Microsoft Entra ID
-You can join a Windows Pro device to Microsoft Entra ID during setup, the first time the device starts. You can also join a device that's already set up.
+The first time the device starts, a Windows Pro device can join Microsoft Entra ID during setup. Existing devices can also join Microsoft Entra ID.
-<a name='join-a-device-to-azure-ad-the-first-time-the-device-is-started'></a>
+#### Join a device to Microsoft Entra ID during OOBE when the device is started for the first time
-#### Join a device to Microsoft Entra ID the first time the device is started
+::: zone pivot="windows-11"
-1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**.
+1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE).
-    :::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup.":::
+1. In the **Is this the right country or region?** screen, select the desired country/region and then select the **Yes** button.
-    Figure 2: The "Who owns this PC?" page in initial Windows 10 setup.
+1. In the **Is this the right keyboard layout or input method?** screen, select the desired keyboard/input methods and then select the **Yes** button.
-1. On the **Choose how you'll connect** page, select **Join Microsoft Entra ID**, and then select **Next**.
+1. In the **Want to add a second keyboard layout?** screen, if desired add additional keyboard/input methods by selecting **Add layout**. Otherwise select the **Skip** button.
-    :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup.":::
+1. If no network connection is detected, the **Let's connect you to a network** screen appears. Connect to a wireless or wired network that has Internet access, and then select the **Next** button.
-    Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup.
+1. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates.
-1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
+1. In Windows 11 Pro editions, the **Let's name your device** screen appears. Give the device a name and then select the **Next** button. After the device is given a name, the device might reboot.
-    :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup.":::
+1. In Windows 11 Pro editions, the **How would you like to set up this device?** screen appears. Select **Set up for work or school** and then select the **Next** button.
-    Figure 4: The "Let's get you signed in" page in initial Windows 10 setup.
+1. In the **Let's set things up for your work or school** screen:
-Now the device is Microsoft Entra joined to the organization's subscription.
+    1. In the **someone@example.com** text box under **Sign in**, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
-<a name='join-a-device-to-azure-ad-when-the-device-is-already-set-up-with-windows-10-pro'></a>
+    1. In the **Password** text box under **Enter password**, enter the password for the Microsoft Entra user account, and then select the **Sign in** button.
-#### Join a device to Microsoft Entra ID when the device is already set up with Windows 10 Pro
+1. The device proceeds with the rest of the Windows setup including configuration of organization specific settings.
 1. In the **Choose privacy settings for your device** screen, configure privacy settings as desired, using the **Next** button to go between settings. Once complete, select the **Accept** button.
 1. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the **Windows Hello** screen might appear.
 ::: zone-end
 ::: zone pivot="windows-10"
 1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE).
 1. In the **Let's start with region. Is this right?** screen, select the desired country/region and then select the **Yes** button.
 1. In the **Is this the right keyboard layout?** screen, select the desired keyboard/input methods and then select the **Yes** button.
 1. In the **Want to add a second keyboard layout?** screen, if desired add additional keyboard/input methods by selecting the **Add layout** button. Otherwise select the **Skip** button.
 1. If no network connection is detected, the **Let's connect you to a network** screen appears. Connect to a wireless or wired network that has Internet access, and then select the **Next** button.
 1. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates.
 1. In Windows 10 Pro editions, the **How would you like to set up?** screen appears. Select **Set up for an organization** and then select the **Next** button.
 1. In the **Sign in with Microsoft** screen, in the **someone@example.com** text box, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
 1. In the **Enter your password** screen, in the **Password** text box, enter the password for the Microsoft Entra user account, and then select the **Next** button.
 1. The device proceeds with the rest of the Windows setup including configuration of organization specific settings.
 1. In the **Choose privacy settings for your device** screen, configure privacy settings as desired. Once complete, select the **Accept** button.
 1. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the **Windows Hello** screen might appear.
 ::: zone-end
 Once Windows Setup finishes, the user is automatically signed in and the device is Microsoft Entra joined to the organization's subscription.
 #### Join a device to Microsoft Entra ID when the device is already set up with Windows
 > [!IMPORTANT]
-> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
+>
 > Make sure that the user signing in isn't the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
-1. Go to **Settings**, select **Accounts**, and select **Access work or school**.
+Open the **Accounts** > **Access work or school** pane in the **Settings** app by selecting the following link:
-    :::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page.":::
+> [!div class="nextstepaction"]
 > [Activation](ms-settings:workplace)
-    Figure 5: "Connect to work or school" configuration in Settings.
+or
-1. In **Set up a work or school account**, select **Join this device to Microsoft Entra ID**.
+1. Right-click on the **Start** menu and select **Run**.
-    :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard.":::
+1. In the **Run** window, next to **Open:**, enter:
-    Figure 6: Set up a work or school account.
+   ```console
   ms-settings:workplace
   ```
-1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
+   and then select **OK**.
-    :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window.":::
+or
-    Figure 7: The "Let's get you signed in" window.
+::: zone pivot="windows-11"
-Now the device is Microsoft Entra joined to the organization's subscription.
+1. Right-click on the **Start** menu and select **Settings**.
 1. In the **Settings** app, select **Accounts** in the left hand pane.
 1. In the **Accounts** pane, select **Access work or school**.
 Once the **Accounts > Access work or school** pane is open:
 1. In the **Accounts > Access work or school** pane, next to **Add a work or school account**, select the **Connect** button.
 1. In the **Microsoft account** window that opens:
    1. In the **Set up a work or school account** page, under **Alternate actions:**, select **Join this device to Microsoft Entra ID**.
    1. In the **Email or phone** text box of the **Sign in** page, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
    1. In the **Password** text box of the **Enter password** page, enter the password for the Microsoft Entra user account, and then select the **Sign in** button.
    1. When the **Make sure this is your organization** window opens, confirm the information is correct and then select the **Join** button.
    1. The device joins the organization's Microsoft Entra ID subscription. Once complete, the **You're all set!** page is displayed. Select the **Done** button to complete the process.
 ::: zone-end
 ::: zone pivot="windows-10"
 1. Right-click on the **Start** menu and select **Settings**.
 1. In the **Settings** app, select **Accounts**.
 1. In the left hand pane, select **Access work or school**.
 Once the **Access work or school** pane is open:
 1. In the **Access work or school** pane, select the **+** button next to **Connect**.
 1. In the **Microsoft account** window that opens:
    1. In the **Set up a work or school account** page, under **Alternate actions:**, select **Join this device to Microsoft Entra ID**.
    1. In the **Email or phone** text box of the **Sign in** page, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
    1. In the **Password** text box of the **Enter password** page, enter the password for the Microsoft Entra user account, and then select the **Sign in** button.
    1. When the **Make sure this is your organization** window opens, confirm the information is correct and then select the **Join** button.
    1. The device joins the organization's Microsoft Entra subscription. Once complete, the **You're all set!** page is displayed. Select the **Done** button to complete the process.
 ::: zone-end
 The device is now Microsoft Entra joined to the organization's subscription.
 ### Step 2: Pro edition activation
-If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.
+Windows Pro has to be activated on the device. However, if the device is running a currently supported version of Windows, most modern devices automatically activates Windows Pro edition using the firmware-embedded activation key.
 <a name='step-3-sign-in-using-azure-ad-account'></a>
 ### Step 3: Sign in using Microsoft Entra account
-Once the device is joined to Microsoft Entra ID, users will sign in with their Microsoft Entra account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+Once the device is joined to Microsoft Entra ID and Windows Setup/OOBE completes, the user signs in with their Microsoft Entra account. Once the user signs in with their Microsoft Entra account, the Windows Enterprise E3 or E5 license associated with the user enables Windows Enterprise edition capabilities on the device.
 :::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as a Microsoft Entra user.":::
 Figure 8: Sign in to Windows 10 with a Microsoft Entra account.
 ### Step 4: Verify that Enterprise edition is enabled
-To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**.
+To verify the Windows Enterprise E3 or E5 subscription:
-:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings.":::
+Open the **Activation** pane in the **Settings** app by selecting the following link:
-Figure 9: Verify Windows 10 Enterprise subscription in Settings.
+> [!div class="nextstepaction"]
 > [Activation](ms-settings:activation)
-If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+or
-> [!NOTE]
+1. Right-click on the **Start** menu and select **Run**.
-> If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output:
+
->
+1. In the **Run** window, next to **Open:**, enter:
-> ```console
+
-> Name: Windows(R), Professional edition
+   ```console
-> Description: Windows(R) Operating System, RETAIL channel
+   ms-settings:activation
-> Partial Product Key: 3V66T
+   ```
-> ```
+
   and then select **OK**.
 or
 ::: zone pivot="windows-11"
 1. Right-click on the **Start** menu and select **Settings**.
 1. In the **Settings** app, select **System** in the left hand pane.
 1. In the **System** pane, **Activation**.
 Once the **System > Activation** pane is open:
 1. In the **System > Activation** pane, expand **Activation state** and **Subscription** to see full details of the activation state and status:
    1. Under **Activation state**, verify that Windows is activated. It should display the message:
      `Windows is activated with a digital license`
    1. Under **Subscription**, verify that the Windows 11 Enterprise subscription is active. It should display the message:
      `Windows 11 Enterprise subscription is active`
      > [!NOTE]
      >
      > If the Windows Enterprise subscription hasn't yet been applied, the **Subscription** pane isn't displayed.
 ::: zone-end
 ::: zone pivot="windows-10"
 1. Right-click on the **Start** menu and select **Settings**.
 1. In the **Settings** app, select **Update & Security**.
 1. In the left hand pane, select **Activation**.
 Once the **Activation** pane is open:
 1. In the **Activation** pane:
    1. Next to **Subscription**, verify that the Windows 10 Enterprise subscription is active. It should display the message:
      `Windows Enterprise 10 subscription is active`
      > [!NOTE]
      >
      > If the Windows Enterprise subscription hasn't yet been applied, the **Subscription** field isn't displayed.
    1. Next to **Activation**, verify that Windows is activated. It should display the message:
      `Windows is activated with a digital license`
 ::: zone-end
 A device is healthy when both the subscription and activation are active. If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** pane displays the appropriate error message or status. This information can be used to help diagnose the licensing and activation process.
 #### Verify that Enterprise edition is enabled with slmgr
 **Slmgr** can also be used to verify the activation information:
 1. Open a command prompt.
 1. To get basic licensing information, run the following command at the command prompt:
  ```cmd
  slmgr /dli
  ```
  A window with output similar to the following opens:
  ```console
  Name: Windows(R), Professional edition
  Description: Windows(R) Operating System, RETAIL channel
  Partial Product Key: 3V66T
  License Status: Licensed
  ```
  To instead get detailed licensing information, run the following command:
  ```cmd
  slmgr /dlv
  ```
 ## Troubleshoot the user experience
-In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues:
+In some instances, users might experience problems with activation of the Windows Enterprise E3 or E5 subscription. The most common problems that users might experience are the following issues:
- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
+- The Windows Enterprise E3 or E5 subscription has lapsed, was removed, or isn't applied.
- An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709.
+- Windows Pro was never activated.
-### Troubleshoot common problems in the Activation pane
+When there are problems with Windows Enterprise E3 or E5 subscription activation, the following are errors can occur in the [Activation](ms-settings:activation) pane:
-Use the following figures to help you troubleshoot when users experience common problems:
+- **Windows Pro isn't activated**
-#### Device in healthy state
+  When Windows Pro isn't activated on a device, the following message is displayed for **Activation** in the [Activation](ms-settings:activation) pane:
-The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
+  `Windows is not activated`
-:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated.":::
+  Additionally, the following message might be displayed:
-#### Device that's not activated with active subscription
+  `We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034.`
-Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
+  Examples where this problem can occur include:
-:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active.":::
+  - The device doesn't have a firmware-embedded activation key.
  - The starting edition of Windows wasn't Windows Pro. For example, the starting edition of Windows was Windows Home.
-Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings.
+  In these cases, a Windows Pro key might need to be manually entered.
-It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034."
+- **Windows Enterprise subscription isn't active**
-#### Device that's activated without an Enterprise subscription
+  When a device with a Windows Enterprise subscription has lapsed or has been removed, the following message is displayed for **Subscription** in the [Activation](ms-settings:activation) pane:
-Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
+  `Windows Enterprise subscription isn't valid.`
-:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active.":::
+  ::: zone pivot="windows-11"
-Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings.
+  > [!NOTE]
  >
  > If the Windows Enterprise subscription has never been applied, the **Subscription** pane isn't displayed.
-It displays the following error: "Windows 10 Enterprise subscription isn't valid."
+  ::: zone-end
-#### Device that's not activated and without an Enterprise subscription
+  ::: zone pivot="windows-10"
-Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
+  > [!NOTE]
  >
  > If the Windows Enterprise subscription has never been applied, the **Subscription** field isn't displayed.
-:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active.":::
+  ::: zone-end
 Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings.
 It displays both of the previously mentioned error messages.
 ### Review requirements on devices
-Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature.
+When there are Windows Enterprise E3 or E5 license activation issues on a device, verify that it meets all of the requirements:
-Devices must also be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
+- Devices must be running a currently supported version of Windows Pro. Versions of Windows Pro that are out support don't support this feature.
-Use the following procedures to review whether a particular device meets these requirements.
+- Devices must be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
-#### Firmware-embedded activation key
+- For automatic activation of Windows Pro, the device must have a firmware-embedded activation key.
-To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
+Use the following guides to verify each one of these requirements:
-```powershell
+- **Determine if the version of Windows is currently supported**.
 (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
 ```
-If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
+  To determine if the version of Windows is currently supported:
-<a name='determine-if-a-device-is-azure-ad-joined'></a>
+  1. Open a command prompt
-#### Determine if a device is Microsoft Entra joined
+  1. In the command prompt window, enter:
-1. Open a command prompt and enter `dsregcmd /status`.
+      ```cmd
      winver.exe
      ```
-1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Microsoft Entra ID.
+  1. The **About Windows** window opens and displays both the OS version and the build information of Windows.
-#### Determine the version of Windows
+  1. Compare the information from the **About Windows** window against the Windows support lifecycle:
-1. Open a command prompt and enter `winver`.
+      - [Windows 11 release information](/windows/release-health/windows11-release-information).
      - [Windows 10 release information](/windows/release-health/release-information).
-1. The **About Windows** window displays the OS version and build information.
+- **Determine if a device is Microsoft Entra joined**.
-1. Compare this information again the Windows support lifecycle:
+  To determine if a device is Microsoft Entra joined:
-    - [Windows 10 release information](/windows/release-health/release-information)
+  1. Open a command prompt.
    - [Windows 11 release information](/windows/release-health/windows11-release-information)
-> [!NOTE]
+  1. In the command prompt window, enter:
 > If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
-### Delay in the activation of Enterprise license of Windows 10
+      ```cmd
      dsregcmd.exe /status
      ```
-This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
+  1. Review the output. Under the first section called **Device State**, verify that the value of **AzureAdJoined** is **YES**. If the value is **YES**,  the device is joined to Microsoft Entra ID.
      ```console
      +----------------------------------------------------------------------+
      | Device State                                                         |
      +----------------------------------------------------------------------+
               AzureAdJoined : YES
            EnterpriseJoined : NO
                DomainJoined : NO
             Virtual Desktop : NOT SET
                 Device Name : Demo-PC
      ```
 - **Determine if devices has a firmware-embedded activation key**.
  To determine if the device has a firmware-embedded activation key:
  1. Open an elevated Windows PowerShell command prompt.
  1. In the elevated Windows PowerShell command prompt, enter:
      ```powershell
      (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
      ```
  1. If the device has a firmware-embedded activation key, the key is displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most modern OEM-provided devices designed to run currently supported versions of Windows have a firmware-embedded key.
 - **Make sure the Microsoft Entra user has been assigned a license**.
  For more information, see [Assigning licenses to users](#assigning-licenses-to-users).
 ### Delay in the activation of Enterprise license of Windows
 There might be a delay in the activation of the Enterprise license in Windows. This delay is by design. Windows uses a built-in cache when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
 ## Known issues
-If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue:
+- If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. Make sure that Windows Update isn't blocked on the device:
- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`.
+  - Using `gpedit.msc` or group policy editor in the domain, make sure that the following group policy setting is set to **Disabled** or **Not Configured**:
- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Don't connect to any Windows Update Internet locations.
+    ::: zone pivot="windows-11"
    **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Do not connect to any Windows Update Internet locations**
    ::: zone-end
    ::: zone pivot="windows-10"
    **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**
    ::: zone-end
    If this policy is set to **Enabled**, it must be changed to **Disabled** or **Not Configured**.
  - In the following registry key:
    `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`
    check if the value `DoNotConnectToWindowsUpdateInternetLocations` exists. If the value does exist, verify that it has a REG_DWORD value of  `0`. If the value is instead set to `1`, it must be changed to `0`. The value can be changed by running the following command from an elevated command prompt:
    ```cmd
    reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1 /f
    ```
    > [!NOTE]
    >
    > Make sure to first check the group policy of **Do not connect to any Windows Update Internet locations**. If the policy is **Enabled**, then this registry key will eventually be reset back to `1` even after it's manually set to `0` via `reg.exe`. Setting the policy of **Do not connect to any Windows Update Internet locations** to **Disabled** or **Not Configured** will make sure the registry value remains as `0`.
 ## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster.
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant host.
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
 ## Related articles
 - [MDM enrollment of Windows devices](/windows/client-management/mdm-enrollment-of-windows-devices).
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@ -1,75 +1,55 @@
 ---
-title: Deploy Windows 10 with Microsoft 365
+title: Deploy Windows with Microsoft 365
 manager: aaroncz
 ms.author: frankroj
-description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
+description: Learn about deploying Windows with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
 ms.service: windows-client
 ms.localizationpriority: medium
 author: frankroj
 ms.topic: article
-ms.date: 11/23/2022
+ms.date: 02/13/2024
 ms.subservice: itpro-deploy
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
-# Deploy Windows 10 with Microsoft 365
+# Deploy Windows with Microsoft 365
 *Applies to:*
 - Windows 10
 This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
-[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview.
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is an offering from Microsoft that combines [Windows](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/security/business) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview.
-For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
+For Windows deployment, Microsoft 365 includes a deployment advisor that walks through the entire process of deploying Windows. The wizard supports multiple Windows deployment methods, including:
- Windows Autopilot
+- Windows Autopilot.
- In-place upgrade
+- In-place upgrade.
- Deploying Windows 10 upgrade with Intune
+- Deploying Windows upgrade with Intune.
- Deploying Windows 10 upgrade with Microsoft Configuration Manager
+- Deploying Windows upgrade with Microsoft Configuration Manager.
- Deploying a computer refresh with Microsoft Configuration Manager
+- Deploying a computer refresh with Microsoft Configuration Manager.
 ## Free trial account
-### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center
+If an existing Microsoft services subscription account exists, and there's access to the Microsoft 365 Admin Center:
-From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
+1. Sign into the [Microsoft 365 Admin Center](https://admin.microsoft.com/).
-In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles.
+1. Go to **Billing** and then **Purchase services**.
-There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
+1. In the Enterprise Suites section of the service offerings, find the Microsoft 365 E3 and Microsoft 365 E5 tiles.
 1. Select one of the available **Start Free Trial** options.
-### If you do not already have a Microsoft services subscription
+If there isn't an existing Microsoft services subscription, Microsoft 365 deployment advisor and other resources can be tried for free! Just follow these steps:
-You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
+1. [Obtain a free Microsoft 365 trial](https://www.microsoft.com/microsoft-365/try).
 1. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
 > [!NOTE]
-> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
+>
-
+> When setup guide runs for the first time, the **Prepare your environment** guide appears. This guide makes sure the basics are covered like domain verification and a method for adding users. At the end of the **Prepare your environment** guide, there's a **Ready to continue** button that goes back to the original guide that was selected.
 1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365).
 2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
 3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview).
 Examples of these two deployment advisors are shown below.
 - [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365)
  - [Free trial account](#free-trial-account)
    - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center)
    - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription)
  - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
  - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
  - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster)
  - [Related articles](#related-articles)
 ## Microsoft 365 deployment advisor example
 ![Microsoft 365 deployment advisor.](images/m365da.png)
 ## Windows Analytics deployment advisor example
 ## Microsoft 365 Enterprise poster
-[![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)
+Select [Microsoft 365 Enterprise poster](https://aka.ms/m365eposter) to see the latest version of the Microsoft 365 Enterprise poster.
 ## Related articles
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<br>
+- [Windows deployment scenarios](windows-deployment-scenarios.md).
 [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@ -154,5 +154,5 @@ On **PC0004**:
 ## Related articles
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
+- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md).
-[Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog)
+- [Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog).
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@ -38,6 +38,7 @@
      "ms.collection": [
        "tier2"
      ],
      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
      "feedback_system": "Standard",
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@ -1,5 +1,5 @@
 ---
-title: Windows 10 upgrade paths (Windows 10)
+title: Windows 10 upgrade paths
 description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
 ms.service: windows-client
 ms.localizationpriority: medium
@ -11,7 +11,7 @@ ms.collection:
  - highpri
  - tier2
 ms.subservice: itpro-deploy
-ms.date: 10/02/2023
+ms.date: 02/13/2024
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
@ -32,7 +32,7 @@ appliesto:
 This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. Paths include upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported.
-If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
+If you're also migrating to a different edition of Windows, see [Windows edition upgrade](windows-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
 - **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
@ -99,8 +99,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 ## Related articles
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md).
-
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md).
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows 10 edition upgrade](windows-edition-upgrades.md).
 [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@ -11,7 +11,7 @@ ms.collection:
  - highpri
  - tier2
 ms.subservice: itpro-deploy
-ms.date: 10/02/2023
+ms.date: 02/13/2024
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -66,6 +66,6 @@ This article provides a summary of available upgrade paths to currently supporte
 ## Related articles
- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md).
- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md).
- [Windows edition upgrade](windows-edition-upgrades.md)
+- [Windows edition upgrade](windows-edition-upgrades.md).
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@ -1,196 +0,0 @@
 ---
 title: Windows 10 deployment scenarios (Windows 10)
 description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
 manager: aaroncz
 ms.author: frankroj
 author: frankroj
 ms.service: windows-client
 ms.localizationpriority: medium
 ms.topic: article
 ms.date: 11/23/2022
 ms.subservice: itpro-deploy
 ---
 # Windows 10 deployment scenarios
 *Applies to:*
 - Windows 10
 To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
 ## Deployment categories
 The following tables summarize various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
 - Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
   > [!NOTE]
   > Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
 - Dynamic deployment methods enable you to configure applications and settings for specific use cases.
 - Traditional deployment methods use existing tools to deploy operating system images.
 ### Modern
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Windows Autopilot](#windows-autopilot)|Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured|[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot)|
 |[In-place upgrade](#in-place-upgrade)|Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.|[Perform an in-place upgrade to Windows 10 with MDT](/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit)<br>[Perform an in-place upgrade to Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)|
 ### Dynamic
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
 |[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
 |[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
 ### Traditional
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)<br>[Deploy Windows 10 using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)|
 |[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)<br>[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
 |[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)<br>[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
 > [!IMPORTANT]
 > The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
 > Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
 ## Modern deployment methods
 Modern deployment methods embrace both traditional on-premises and cloud services to deliver a simple, streamlined, and cost effective deployment experience.
 ### Windows Autopilot
 Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
 For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
 ### In-place upgrade
 For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 uses the Windows installation program (Setup.exe) is to perform an in-place upgrade. An in-place upgrade:
 - Automatically preserves all data, settings, applications, and drivers from the existing operating system version
 - Requires the least IT effort, because there's no need for any complex deployment infrastructure
 Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
 The in-place upgrade process is designed to be reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process.
 Existing applications are preserved through the process. So, the upgrade process uses the standard Windows installation media image (Install.wim). Custom images aren't needed and can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
 Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
 - **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
 - **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
  - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
  - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
 There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
 - Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
 - Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
 - Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
 - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
 ## Dynamic provisioning
 For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image. A custom image was used because a custom image was often faster and easier than using the preinstalled version. However, reimaging with a custom image is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it's now possible to avoid using custom images.
 The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
 ### Windows 10 Subscription Activation
 Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
 <a name='azure-active-directory-azure-ad-join-with-automatic-mobile-device-management-mdm-enrollment'></a>
 ### Microsoft Entra join with automatic mobile device management (MDM) enrollment
 In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 ### Provisioning package configuration
 When you use the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
 These scenarios can be used to enable "choose your own device" (CYOD) programs. With these programs, organization users can pick their own PC and aren't restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
 While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
 ## Traditional deployment
 New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
 The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
 - **New computer**: A bare-metal deployment of a new machine.
 - **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
 - **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
 ### New computer
 Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
 The deployment process for the new machine scenario is as follows:
 1. Start the setup from boot media (CD, USB, ISO, or PXE).
 2. Wipe the hard disk clean and create new volume(s).
 3. Install the operating system image.
 4. Install other applications (as part of the task sequence).
 After you follow these steps, the computer is ready for use.
 ### Computer refresh
 A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
 The deployment process for the wipe-and-load scenario is as follows:
 1. Start the setup on a running operating system.
 2. Save the user state locally.
 3. Wipe the hard disk clean (except for the folder containing the backup).
 4. Install the operating system image.
 5. Install other applications.
 6. Restore the user state.
 After you follow these steps, the machine is ready for use.
 ### Computer replace
 A computer replace is similar to the refresh scenario. However, since we're replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
 The deployment process for the replace scenario is as follows:
 1. Save the user state (data and settings) on the server through a backup job on the running operating system.
 2. Deploy the new computer as a bare-metal deployment.
    > [!NOTE]
    > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
 ## Related articles
 - [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 - [Upgrade to Windows 10 with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
 - [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
 - [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
 - [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference)
 - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
 - [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi)
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@ -1,188 +0,0 @@
 ---
 title: Windows 10/11 Enterprise E3 in CSP
 description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
 ms.service: windows-client
 ms.localizationpriority: medium
 ms.date: 11/23/2022
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.topic: article
 ms.subservice: itpro-deploy
 ---
 # Windows 10/11 Enterprise E3 in CSP
 *Applies to:*
 - Windows 10
 - Windows 11
 Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
 Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
 - Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
 - Microsoft Entra available for identity management
 You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Microsoft Entra credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
 Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
 When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
 - **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
 - **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
 - **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
 - **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
 - **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
 - **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
 How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
 - [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
 - [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
  - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
  - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
  - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
  - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
    In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
 In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11.
 ## Compare Windows 10 Pro and Enterprise editions
 Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
 ### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
 |Feature|Description|
 |--- |--- |
 |Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
 |Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
 |User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
 |Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
 ## Deployment of Windows 10/11 Enterprise E3 licenses
 See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
 ## Deploy Windows 10/11 Enterprise features
 Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)?
 The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features.
 ### Credential Guard
 > [!NOTE]
 > Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present).
 You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
 - **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
 - **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
  - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
  - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
    You can automate these manual steps by using a management tool such as Microsoft Configuration Manager.
 For more information about implementing Credential Guard, see the following resources:
 - [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
 - [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
 - [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
 ### Device Guard
 Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
 1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
 2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
 3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
 4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
 5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
 6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
 7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
 For more information about implementing Device Guard, see:
 - [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
 - [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
 ### AppLocker management
 You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
 For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
 ### App-V
 App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows:
 - **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
 - **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
 - **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
 For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
 - [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
 - [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
 - [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
 ### UE-V
 UE-V requires server and client-side components that you'll need to download, activate, and install. These components include:
 - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
 - **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
 - **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
 - **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates aren't required for Windows applications.
 - **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
 For more information about deploying UE-V, see the following resources:
 - [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows)
 - [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
 - [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment)
 ### Managed User Experience
 The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
 #### Table 2. Managed User Experience features
 | Feature          | Description     |
 |------------------|-----------------|
 | Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
 | Unbranded boot             | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
 | Custom logon               | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
 | Shell launcher             | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
 | Keyboard filter            | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
 | Unified write filter       | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
 ## Related articles
 [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)<br>
 [Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
 [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<br>
 [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)<br>
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@ -1046,4 +1046,4 @@ Use the following procedures to verify that the PoC environment is configured pr
 ## Next steps
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+- [Windows 10 deployment scenarios](windows-deployment-scenarios.md).
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@ -1,260 +0,0 @@
 ---
 title: Windows subscription activation
 description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
 ms.service: windows-client
 ms.subservice: itpro-fundamentals
 ms.localizationpriority: medium
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.collection:
  - highpri
  - tier2
 ms.topic: conceptual
 ms.date: 11/14/2023
 appliesto: 
  - ✅ <b>Windows 10</b>
  - ✅ <b>Windows 11</b>
 ---
 # Windows subscription activation
 The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
 If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
 The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and then rebooting client devices.
 This article covers the following information:
 - [Subscription activation](#subscription-activation-for-enterprise): An introduction to subscription activation for Windows Enterprise.
 - [Subscription activation for Education](#subscription-activation-for-education): Information about subscription activation for Windows Education.
 - [Inherited activation](#inherited-activation): Allow virtual machines to inherit activation state from their Windows client host.
 - [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment.
 - [Requirements](#requirements): Prerequisites to use the Windows subscription activation model.
 - [Benefits](#benefits): Advantages of subscription-based licensing.
 - [How it works](#how-it-works): A summary of the subscription-based licensing option.
 - [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows subscription activation for VMs in the cloud.
 For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 > [!NOTE]
 >
 > Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
 >
 > - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
 > - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
 >
 > Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
 >
 > For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
 ## Subscription activation for Enterprise
 Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots.
 - Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
 - Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
 Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
 > [!NOTE]
 > Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11.
 ## Subscription activation for Education
 Subscription activation for Education works the same as the Enterprise edition, but in order to use subscription activation for Education, you must have a device running Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section.
 ## Inherited activation
 Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
 To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V.
 ## The evolution of deployment
 > [!TIP]
 > The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus).
 The following list illustrates how deploying Windows client has evolved with each release:
 - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
 - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade. This process was considered a "repair upgrade", because the OS version was the same before and after. This upgrade was a lot easier than wipe-and-load, but it was still time-consuming.
 - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This process required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
 - **Windows 10, version 1607** made a large leap forward. You could just change the product key and the edition instantly changed from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can inject a key using slmgr.vbs, which injects the key into WMI. It became trivial to do this process using a command line.
 - **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
 - **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Microsoft Entra ID for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Microsoft Entra ID, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
 - **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
 - **Windows 10, version 1903** updated Windows 10 subscription activation to enable step-up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription.
 - **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices.
    > [!IMPORTANT]
    > Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated.
 ## Requirements
 ### Windows Enterprise requirements
 > [!NOTE]
 > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
 > [!IMPORTANT]
 > As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
 - A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
 - Microsoft Entra available for identity management.
 - Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
 ### Windows Education requirements
 - A supported version of Windows Pro Education installed on the devices to be upgraded.
 - A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
 - The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
 - Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 > [!IMPORTANT]
 > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
 ## Benefits
 With Windows Enterprise or Education editions, your organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features.
 To compare Windows 10 editions and review pricing, see the following sites:
 - [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
 - [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
 You can benefit by moving to Windows as an online service in the following ways:
 - Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. You have a systematic way to assign licenses to end users and groups in your organization.
 - User sign-in triggers a silent edition upgrade, with no reboot required.
 - Support for mobile worker and "bring your own device" (BYOD) activation. This support transitions away from on-premises KMS and MAK keys.
 - Compliance support via seat assignment.
 - Licenses can be updated to different users dynamically, which allows you to optimize your licensing investment against changing needs.
 ## How it works
 > [!NOTE]
 > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
 The device is Microsoft Entra joined from **Settings** > **Accounts** > **Access work or school**.
 You assign Windows 10 Enterprise to a user:
 ![A screenshot of assigning a Windows 10 Enterprise license in the Microsoft 365 admin center.](images/ent.png)
 When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
 > [!NOTE]
 > Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel.
 The following figure summarizes how the subscription activation model works:
 ![Diagram of subscription activation.](images/after.png)
 > [!NOTE]
 >
 > - A Windows 10 Pro Education device will only step-up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
 >
 > - A Windows 10 Pro device will only step-up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
 ### Scenarios
 #### Scenario #1
 You're using a supported version of Windows 10. You purchased Windows 10 Enterprise E3 or E5 subscriptions, or you've had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise.
 All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition.
 #### Scenario #2
 You're using Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Microsoft Entra synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Microsoft Entra ID. You then assign that license to all of your Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
 #### Earlier versions of Windows
 If devices are running Windows 7, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise edition. This path is supported, and completes the move in one step. This method also works for devices with Windows 8.1 Pro.
 ### Licenses
 The following policies apply to acquisition and renewal of licenses on devices:
 - Devices that have been upgraded will attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license.
 - If a device is disconnected from the internet, until its current subscription expires Windows will revert to Pro or Pro Education. As soon as the device is connected to the internet again, the license will automatically renew.
 - Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, on the computer to which a user hasn't logged for the longest time, Windows will revert to Pro or Pro Education.
 - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
 Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
 When you have the required Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
 ### Existing Enterprise deployments
 If you're running a supported version of Windows 10 or Windows 11, subscription activation will automatically pull the firmware-embedded Windows activation key and activate the underlying Pro license. The license will then step-up to Enterprise using subscription activation. This behavior automatically migrates your devices from KMS or MAK activated Enterprise to subscription activated Enterprise.
 Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows.
 > [!CAUTION]
 > Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE).
 If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console:
 ```powershell
 $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
 ```
 <a name='obtaining-an-azure-ad-license'></a>
 ### Obtaining a Microsoft Entra ID license
 If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
 - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, you assign the licenses to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 - The license administrator can assign seats to Microsoft Entra users with the same process that's used for Microsoft 365 Apps.
 - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
 If your organization has a Microsoft Products & Services Agreement (MPSA):
 - New customers are automatically emailed the details of the service. Take steps to process the instructions.
 - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
 - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
 ### Deploying licenses
 For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 ## Virtual Desktop Access (VDA)
 Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
 Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 ## Related sites
 Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
 [Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11)
 [Windows for business](https://www.microsoft.com/windows/business)
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@ -1,83 +1,78 @@
 ---
-title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
+title: Windows ADK for Windows scenarios for IT Pros
-description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that IT Pros can use to deploy Windows.
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.service: windows-client
 ms.localizationpriority: medium
-ms.date: 11/23/2022
+ms.date: 02/13/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
-# Windows ADK for Windows 10 scenarios for IT Pros
+# Windows ADK for Windows scenarios for IT Pros
-The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
+The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that IT Pros can use to deploy Windows. For an overview of what's new in the latest version of the Windows ADK, see [What's new in the ADK tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools). For the ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
 In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
 Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
 ## Create a Windows image using command-line tools
 [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.
-Here are some things you can do with DISM:
+Here are some things that can be done with DISM:
- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
+- [Add and Remove Driver packages to an offline Windows Image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image).
- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
+- [Enable or Disable Windows Features Using DISM](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism).
- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
+- [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism).
- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+- [Add languages to Windows images](/windows-hardware/manufacture/desktop/add-language-packs-to-windows).
- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
+- [Preinstall Apps Using DISM](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism).
- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
+- [Change the Windows Image to a Higher Edition Using DISM](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism).
-[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation.
+[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows capturing a customized Windows installation.
-Here are some things you can do with Sysprep:
+Here are some things that can be done with Sysprep:
- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
+- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation#generalize-a-windows-installation).
- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+- [Customize the default user profile by using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile).
- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
+- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep).
-[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. Windows PE can be booted into to install a new operating system, recover data, or repair an existing operating system.
-Here are ways you can create a WinPE image:
+A WinPE image can be created using the article [Create bootable Windows PE media](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive). Types of bootable media include:
- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a bootable Windows PE USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-bootable-windows-pe-usb-drive).
- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a WinPE ISO, DVD, or CD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-winpe-iso-dvd-or-cd).
 - [Create a Windows PE VHD to use with Hyper-V](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-windows-pe-vhd-to-use-with-hyper-v).
 [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems.
-Here are some things you can do with Windows RE:
+Here are some things that can be done with Windows RE:
- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
+- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re).
- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
+- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview).
-[Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation.
+[Windows System Image Manager (WSIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps create answer files that change Windows settings and run scripts during Windows installation.
-Here are some things you can do with Windows SIM:
+Here are some things that can be done with WSIM:
- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
+- [Create or Open an Answer File](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file).
- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
+- [Add a Device Driver Path to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file).
- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
+- [Add a Package to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file).
- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
+- [Add a Custom Command to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file).
-For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
+For a list of settings that can be changed, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/).
 ### Create a provisioning package using Windows ICD
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image.
+[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows for desktop editions (Home, Pro, Enterprise, and Education) or a Windows IoT Core (IoT Core) image. Creating, applying, and exporting provisioning packages with the Windows ICD is covered in the article [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
 Here are some things you can do with Windows ICD:
 - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
 - [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
 ### IT Pro Windows deployment tools
-There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
+There are also a few tools included in the Windows ADK that are specific to IT Pros:
 - [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
 - [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
--- a/windows/deployment/windows-deployment-scenarios.md
+++ b/windows/deployment/windows-deployment-scenarios.md
@ -0,0 +1,205 @@
 ---
 title: Windows deployment scenarios
 description: Understand the different ways Windows operating system can be deployed in an organization. Explore several Windows deployment scenarios.
 manager: aaroncz
 ms.author: frankroj
 author: frankroj
 ms.service: windows-client
 ms.localizationpriority: medium
 ms.topic: article
 ms.date: 02/13/2024
 ms.subservice: itpro-deploy
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows deployment scenarios
 To successfully deploy the Windows operating system in an organization, it's important to understand the different ways that it can be deployed. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
 ## Deployment categories
 The following tables summarize various Windows deployment scenarios. The scenarios are each assigned to one of three categories.
 - Modern deployment methods are recommended unless a specific need requires use of a different procedure. These methods are supported with existing tools such as Microsoft Configuration Manager.
   > [!NOTE]
   >
   > Once Windows is deployed in an organization, it's important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows feature updates.
 - Dynamic deployment methods enable configuration of applications and settings for specific use cases.
 - Traditional deployment methods use existing tools to deploy operating system images.
 ### Modern
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Windows Autopilot](#windows-autopilot)|Customize the out-of-box-experience (OOBE) for an organization, and deploy a new system with apps and settings already configured|[Overview of Windows Autopilot](/autopilot/windows-autopilot)|
 |[In-place upgrade](#in-place-upgrade)|Use Windows Setup to update the Windows version and migrate apps and settings. Rollback data is saved in Windows.old.|[Perform an in-place upgrade to Windows using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)|
 ### Dynamic
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Subscription Activation](#windows-subscription-activation)|Switch from Windows Pro to Enterprise when a subscribed user signs in.|[Windows Subscription Activation](windows-subscription-activation.md)|
 |[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
 |[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
 ### Traditional
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy Windows using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)|
 |[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows client with a currently supported version of Windows using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
 |[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows client with a currently supported version of Windows using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
 > [!IMPORTANT]
 >
 > The Windows Autopilot and Subscription Activation scenarios require that the beginning OS is a currently supported version of Windows.
 >
 > Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
 ## Modern deployment methods
 Modern deployment methods embrace both traditional on-premises and cloud services to deliver a streamlined and cost effective deployment experience.
 ### Windows Autopilot
 Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows PCs and provide end users with a fully configured new Windows device. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
 For more information about Windows Autopilot, see [Overview of Windows Autopilot](/autopilot/windows-autopilot) and [Modernizing Windows deployment with Windows Autopilot](https://techcommunity.microsoft.com/t5/windows-blog-archive/modernizing-windows-deployment-with-windows-autopilot/ba-p/167042).
 ### In-place upgrade
 For existing computers running out of support versions of Windows, the recommended path for organizations deploying Windows is to perform an in-place upgrade. An in-place upgrade uses the Windows installation program (`Setup.exe`) to:
 - Automatically preserves all data, settings, applications, and drivers from the existing operating system version
 - Requires the least IT effort, because there's no need for any complex deployment infrastructure
 Although consumer PCs are upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager to completely automate the upgrade process through simple task sequences.
 The in-place upgrade process is designed to be reliable. An in-place upgrade has the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process.
 Existing applications are preserved through the process. The upgrade process uses the standard Windows installation media image (Install.wim). Custom images not only aren't needed, but they also can't be used. Custom images can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. For example, Contoso Timecard 1.0 in Windows 10 and Contoso Timecard 3.0 in the Windows 11 image.
 Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
 - **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it works fine to upgrade a system using legacy BIOS emulation. After the upgrade, the system disk can be converted to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk is converted, the firmware of the device must also be configured to boot in UEFI mode. Enabling UEFI also UEFI features such as Secure Boot to be enabled.
 > [!IMPORTANT]
 >
 > Performing an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS is only possible with Windows 10. Windows versions newer than Windows 10 only support UEFI-capable systems and don't support legacy BIOS or MBR.
 - **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs might provide instructions on how to integrate their software into the in-place upgrade process. Check with the ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
  - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
  - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
 There are some situations where an in-place upgrade can't be used. In these situations, use traditional deployment methods instead. Examples of these situations include:
 - Changing from an x86 version of Windows 10 to an x64 version of Windows. Versions of Windows newer than Windows 10 are only x64 and don't have an x86 version. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
 - Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
 - Updating existing images. It can be tempting to try to upgrade existing Windows images to a newer version of Windows by installing the old image, upgrading it, and then recapturing the new Windows image. However, this scenario isn't supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and doesn't work. When `Sysprep.exe` detects the upgraded OS, it fails.
 - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If using dual-boot or multi-boot systems with multiple operating systems, then extra care should be taken. Dual-boot and multi-boot systems doesn't include using virtual machines for the second and subsequent operating systems.
 ## Dynamic provisioning
 For new PCs, organizations historically replaced the version of Windows included on the device with their own custom Windows image. A custom image was used because a custom image was often faster and easier than using the preinstalled version. However, reimaging with a custom image is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows, it's now possible to avoid using custom images.
 The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
 ### Windows Subscription Activation
 Windows Subscription Activation is a dynamic deployment method that enables changing the edition of Windows from Pro to Enterprise. Windows Subscription Activation requires no keys and no reboots. For more information about Subscription Activation, see [Windows Subscription Activation](windows-subscription-activation.md).
 ### Microsoft Entra join with automatic mobile device management (MDM) enrollment
 In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 ### Provisioning package configuration
 With the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a device. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
 These scenarios can be used to enable "Bring Your Own Device" (BYOD) or "Choose Your Own Device" (CYOD) programs. With these programs, an organization's users can pick their own PC. They aren't restricted to a small list of approved or certified models. These programs are difficult to implement using traditional deployment scenarios.
 While Windows includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
 ## Traditional deployment
 In the past, organizations typically deployed Windows using an image-based process built on top of tools provided in:
 - [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md).
 - [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 - Windows Deployment Services (WDS).
 - Microsoft Deployment Toolkit.
 Scenarios such as in-place upgrade and dynamic provisioning might reduce the need for traditional deployment capabilities in some organizations. However, traditional methods might still need to be used under certain circumstances.
 The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
 - **New computer**: A bare-metal deployment of a new device.
 - **Computer refresh**: A reinstall of the same device (with user-state migration and an optional full Windows Imaging (WIM) image backup).
 - **Computer replace**: A replacement of the old device with a new device (with user-state migration and an optional full WIM image backup).
 ### New computer
 Also called a "bare metal" deployment. This scenario occurs when there's a device with no OS installed on it that needs to be deployed. This scenario can also be an existing device that needs to be wiped and redeployed without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). A full offline media that includes all the files needed for a client deployment can also be generated, allowing deployment without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
 The deployment process for the new device scenario is as follows:
 1. Start the setup from boot media (CD, USB, ISO, or PXE).
 1. Wipe the hard disk clean and create new volume(s).
 1. Install the operating system image.
 1. Install other applications (as part of the task sequence).
 After following these steps, the computer is ready for use.
 ### Computer refresh
 A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
 The deployment process for the wipe-and-load scenario is as follows:
 1. Start the setup on a running operating system.
 1. Save the user state locally.
 1. Wipe the hard disk clean (except for the folder containing the backup).
 1. Install the operating system image.
 1. Install other applications.
 1. Restore the user state.
 After following these steps, the device is ready for use.
 ### Computer replace
 A computer replace is similar to the refresh scenario. However, since we're replacing the device, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
 The deployment process for the replace scenario is as follows:
 1. Save the user state (data and settings) on the server through a backup job on the running operating system.
 1. Deploy the new computer as a bare-metal deployment.
    > [!NOTE]
    >
    > In some situations, the replace scenario can be used even if the target is the same device. For example, replace can be used if disk layout needs to be changed from master boot record (MBR) to GUID partition table (GPT). This conversion allows taking advantage of Unified Extensible Firmware Interface (UEFI) functionality.
 ## Related articles
 - [Upgrade to Windows with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md).
 - [Deploy Windows using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md).
 - [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference).
 - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
 - [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi).
--- a/windows/deployment/windows-enterprise-e3-overview.md
+++ b/windows/deployment/windows-enterprise-e3-overview.md
@ -0,0 +1,193 @@
 ---
 title: Windows Enterprise E3 in CSP
 description: Describes Windows Enterprise E3, an offering that delivers, by subscription, the features of Windows Enterprise edition.
 ms.service: windows-client
 ms.localizationpriority: medium
 ms.date: 02/13/2024
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows Enterprise E3 in CSP
 Windows Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, the following prerequisites must be met:
 - A currently supported version of Windows, installed and activated, on the devices to be upgraded.
 - Microsoft Entra available for identity management.
 Moving from Windows Pro to Windows Enterprise is more easy than ever before with no keys and no reboots. After a user enters the Microsoft Entra credentials associated with a Windows Enterprise E3 license, the operating system turns from Windows Pro to Windows Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows Pro.
 Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows Enterprise to their users. Now, with Windows Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
 When Windows Enterprise E3 is purchased via a partner, the following benefits are included:
 - **Windows Enterprise edition**. Devices currently running Windows Pro can get Windows Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
 - **Support from one to hundreds of users**. Although the Windows Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
 - **Deploy on up to five devices**. For each user covered by the license, Windows Enterprise edition can be deployed on up to five devices.
 - **Roll back to Windows Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows Enterprise device reverts seamlessly to Windows Pro edition (after a grace period of up to 90 days).
 - **Monthly, per-user pricing model**. This model makes Windows Enterprise E3 affordable for organizations.
 - **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing optimization of the licensing investment against changing needs.
 How does the Windows Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
 - [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
 - [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
  - **Deployment and management**. These benefits include planning services:
    - Microsoft Desktop Optimization (MDOP).
    - Windows Virtual Desktop Access Rights.
    - Windows Roaming Use Rights.
    - Other benefits.
  - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
  - **Support**. These benefits include:
    - 24x7 problem resolution support.
    - Backup capabilities for disaster recovery.
    - System Center Global Service Monitor.
    - A passive secondary instance of SQL Server.
  - **Specialized**. These benefits include step-up licensing availability, which enables migration of software from an earlier edition to a higher-level edition. It also spreads license and Software Assurance payments across three equal, annual sums.
    In addition, in Windows Enterprise E3 in CSP, a partner can manage the licenses for an organization. With Software Assurance, the organization has to manager their own licenses.
 In summary, the Windows Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows Enterprise edition. Microsoft Volume Licensing programs and Software Assurance on the other hand are broader in scope and provide benefits beyond access to the Enterprise edition of Windows.
 ## Compare Windows Pro and Enterprise editions
 Windows Enterprise edition has many features that are unavailable in Windows Pro. Table 1 lists some of the Windows Enterprise features not found in Windows Pro. Many of these features are security-related, whereas others enable finer-grained device management.
 ### Table 1. Windows Enterprise features not found in Windows Pro
 |Feature|Description|
 |--- |--- |
 |Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
 |Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started).|
 |User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows).|
 |Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, a device can be configured for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. Access to services such as the Windows Store can also be restricted. For Windows 10, Start layout options can also be managed, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
 ## Deployment of Windows Enterprise E3 licenses
 See [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 ## Deploy Windows Enterprise features
 Now that Windows Enterprise edition is running on devices, how are Enterprise edition features and capabilities taken advantage of? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-pro-and-enterprise-editions)?
 The following sections provide with the high-level tasks that need to be performed in an environment to help users take advantage of the Windows Enterprise edition features.
 ### Credential Guard
 > [!NOTE]
 >
 > Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present).
 Credential Guard can be implemented on Windows Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows virtualization-based (Hyper-V) security features that must be enabled on each device before Credential Guard can be turned on. Credential Guard can be turned on by using one of the following methods:
 - **Automated**. Credential Guard can be turned on for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
 - **Manual**. Credential Guard can be manually turned on by taking one of the following actions:
  - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
  - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
    These manual steps can be automated by using a management tool such as Microsoft Configuration Manager.
 For more information about implementing Credential Guard, see the following resources:
 - [Credential Guard overview](/windows/security/identity-protection/credential-guard/)
 - [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
 - [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
 ### Device Guard
 Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:
 1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.
 2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.
 3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.
 4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.
 5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.
 6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.
 7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
 For more information about implementing Device Guard, see:
 - [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
 - [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
 ### AppLocker management
 AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.
 For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
 ### App-V
 App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that are required are:
 - **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, multiple streaming servers might exist. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
 - **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. Apps are installed on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
 - **App-V client**. The App-V client must be enabled on any Windows Enterprise E3 client device that needs to run apps from the App-V server.
 For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
 - [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started)
 - [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
 - [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
 ### UE-V
 UE-V requires server and client-side components that need to be downloaded, activated, and installed. These components include:
 - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
 - **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
 - **Settings storage location**. This location is a standard network share that users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
 - **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. Custom settings location templates can also be created, edited, or validated by using the UE-V template generator. Settings location templates aren't required for Windows applications.
 - **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
 For more information about deploying UE-V, see the following resources:
 - [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows)
 - [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
 - [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment)
 ### Managed User Experience
 The Managed User Experience feature is a set of Windows Enterprise edition features and corresponding settings that can be used to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, AD DS is required with the Windows Enterprise devices joined to an AD DS domain.
 #### Table 2. Managed User Experience features
 | Feature          | Description     |
 |------------------|-----------------|
 | Start layout customization | A customized Start layout can be deployed to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables customization of Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
 | Unbranded boot | Windows elements that appear when Windows starts or resumes can be suppressed. The crash screen when Windows encounters an error from which it can't recover can also be suppressed.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
 | Custom Logon | The Custom Logon feature can be used to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, all elements of the Welcome screen UI can be suppressed and a custom logon UI can be provided. The Blocked Shutdown Resolver (BSDR) screen can also be suppressed and applications can be automatically ended while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
 | Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
 | Keyboard filter | Keyboard Filter can be used to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. These keyboard actions aren't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
 | Unified write filter | The Unified Write Filter (UWF) can be used on a device to help protect physical storage media, including most standard writable storage types supported by Windows, such as: <ul><li>Physical hard disks</li><li>Solid-state drives</li><li>Internal USB devices</li><li>External SATA devices</li></ui>. UWF can also be used to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
 ## Related articles
 - [Windows Enterprise Subscription Activation](windows-subscription-activation.md).
 - [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan).
 - [Compare Windows editions](https://www.microsoft.com/windows/business/windows-10-pro-vs-windows-11-pro).
 - [Windows for business](https://www.microsoft.com/windows/business).
--- a/windows/deployment/windows-subscription-activation.md
+++ b/windows/deployment/windows-subscription-activation.md
@ -0,0 +1,216 @@
 ---
 title: Windows subscription activation
 description: Learn how to dynamically enable Windows Enterprise or Education subscriptions.
 ms.service: windows-client
 ms.subservice: itpro-fundamentals
 ms.localizationpriority: medium
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.collection:
  - highpri
  - tier2
 ms.topic: conceptual
 ms.date: 02/13/2024
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows subscription activation
 The subscription activation feature enables a "step-up" from Windows Pro edition to Enterprise edition or from Windows Pro Education edition to Education edition. This feature can be used with a subscription to Windows Enterprise E3 or E5 licenses.
 > [!TIP]
 >
 > Windows Pro Education is analogous to Windows Pro, while Windows Education is analogous to Windows Enterprise. In other words, Windows Education is a step-up from Windows Pro Education, similar to how Windows Enterprise is a step-up from Windows Pro.
 The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later:
 - Standing up on-premises key management services such as KMS or MAK based activation.
 - Entering Generic Volume License Keys (GVLKs).
 - Rebooting client devices.
 For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 > [!NOTE]
 >
 > Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
 >
 > - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
 > - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
 >
 > Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
 >
 > For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
 ## Subscription activation for Enterprise
 Windows Enterprise E3 and E5 are available as online services via subscription. Windows Enterprise can be deployed in an organization without keys and reboots.
 - Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
 - Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
 Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
 > [!NOTE]
 >
 > Subscription activation is available for qualifying devices running currently supported versions of Windows. Subscription activation can't be used to upgrade to a newer version of Windows.
 ## Subscription activation for Education
 Subscription activation for Education works the same as the Enterprise edition. However, in order to use subscription activation for Education, the device must have Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section.
 ## Inherited activation
 Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows virtual machine (VM) using a Windows host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
 To support inherited activation, both the host computer and the VM must be running a currently supported version of Windows. The hypervisor platform must also be Windows Hyper-V.
 ## Requirements
 ### Windows Enterprise requirements
 > [!NOTE]
 >
 > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
 > [!IMPORTANT]
 >
 > As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. <!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), the following requirements must be met:
 - A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
 - Microsoft Entra available for identity management.
 - Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 For Microsoft customers that don't have EA or MPSA, Windows Enterprise E3/E5 or A3/A5 licenses can be obtained through a cloud solution provider (CSP). Identity management and device requirements are the same when using CSP to manage licenses. For more information about getting Windows Enterprise E3 through a CSP, see [Windows Enterprise E3 in CSP](windows-enterprise-e3-overview.md).
 ### Windows Education requirements
 - A supported version of Windows Pro Education installed on the devices to be upgraded.
 - A device with a Windows Pro Education digital license. This information can be confirmed under **Settings > System > Activation** or under **Settings > Update & Security > Activation**.
 - The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
 - Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 > [!IMPORTANT]
 >
 > If Windows Pro is converted to Windows Pro Education, then subscription activation doesn't work. The device needs to be reimaged to Windows Pro Education for subscription activation to work. Alternatively, reimage the device directly to Windows Education.
 ## Benefits
 With Windows Enterprise or Education editions, an organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features.
 To compare Windows editions and review pricing, see the following sites:
 - [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro)
 - [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
 Benefits of moving to Windows as an online service include:
 - Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. There's a systematic way to assign licenses to end users and groups in an organization.
 - User sign-in triggers a silent edition upgrade, with no reboot required.
 - Support for mobile worker and "Bring Your Own Device" (BYOD) or "Choose Your Own Device" (CYOD) activation. This support transitions away from on-premises KMS and MAK keys.
 - Compliance support via license assignment.
 - Licenses can be updated to different users dynamically, which allows optimization of the licensing investment against changing needs.
 ## How it works
 The device is Microsoft Entra joined, for example from **Settings** > **Accounts** > **Access work or school**.
 Windows Enterprise is assigned to a user, for example through the Microsoft 365 admin center. When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise, or from Pro Education to Education. Once the edition is stepped up, Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows Pro or Windows Pro Education edition, once the current subscription validity expires.
 > [!NOTE]
 >
 > - Devices running a supported version of Windows Pro can get Windows Enterprise general availability channel on up to five devices for each user covered by the license. This limit also applies when stepping up from Windows Pro Education to Windows Education. This benefit doesn't include the long term servicing channel.
 >
 > - A Windows Pro device only steps up to Windows Enterprise edition when a **Windows Enterprise** license is assigned from the Microsoft 365 admin center.
 >
 > - A Windows Pro Education device only steps up to Windows Education edition a **Windows Enterprise** license is assigned from the Microsoft 365 admin center.
 ### Scenarios
 #### Scenario #1
 A supported version of Windows is being used. A Windows Enterprise E3 or E5 subscription is purchased, or there's an existing E3 or E5 subscription but Windows Enterprise isn't yet deployed.
 All of the Windows Pro devices step-up to Windows Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows Enterprise migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition.
 #### Scenario #2
 Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows are being used. Microsoft Entra synchronization is configured. The steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) are followed to get a $0 SKU and a new Windows Enterprise E3 or E5 license in Microsoft Entra ID. The license is then assigned to all of the Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device automatically steps up from Windows Pro to Windows Enterprise or from Windows Pro Education to Windows Education.
 #### Earlier versions of Windows
 If devices are running Windows 7 or Windows 8.1, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to a currently supported Windows 10 Enterprise edition. This path is supported, and completes the move in one step. However, versions of Windows newer than Windows 10 don't support upgrading from Windows 7 or Windows 8.1. For versions of Windows newer than Windows 10, an upgrade to Windows 10 would first be required, followed by upgrading to the version of Windows Enterprise newer than Windows 10. In this scenario, a wipe-and-load might be more practical.
 ### Licenses
 The following policies apply to acquisition and renewal of licenses on devices:
 - Upgraded devices attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license.
 - If a device is disconnected from the internet, until its current subscription expires Windows reverts to Pro or Pro Education. As soon as the device is connected to the internet again, the license automatically renew.
 - Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the computer where the user hasn't signed in for the longest time reverts to Pro or Pro Education.
 - If a device meets the requirements and a licensed user signs in on that device, the device is upgraded.
 Licenses can be reallocated from one user to another user, allowing optimization of the licensing investment against changing needs.
 With a Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
 ### Existing Enterprise deployments
 With currently supported version of Windows, subscription activation automatically pulls the firmware-embedded Windows activation key and activates the underlying Pro license. The license then steps up to Enterprise using subscription activation. This behavior automatically migrates devices from KMS or MAK activated Enterprise to subscription activated Enterprise.
 Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows.
 > [!CAUTION]
 >
 > Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE).
 If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console:
 ```powershell
 $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
 ```
 ### Obtaining a Microsoft Entra ID license
 If an organization has an Enterprise Agreement (EA) or Software Assurance (SA):
 - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, licenses are assigned to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 - The license administrator can assign licenses to Microsoft Entra users with the same process used for Microsoft 365 Apps.
 - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
 If an organization has a Microsoft Products & Services Agreement (MPSA):
 - New customers are automatically emailed the details of the service. Take steps to process the instructions.
 - Existing MPSA customers receive service activation emails that allow their customer administrator to assign users to the service.
 - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 are enabled for both the traditional key-based and new subscriptions activation method.
 ### Deploying licenses
 For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 ## Virtual Desktop Access (VDA)
 Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 ## Related sites
 - Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan).
 - [Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11).
 - [Windows for business](https://www.microsoft.com/windows/business).
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@ -87,7 +87,7 @@ To check the Windows Hello for Business policy settings applied at enrollment ti
 ## Policy conflicts from multiple policy sources
-Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business. If you mix GPO and CSP policy settings, the CSP settings are ignored until all group policy settings are cleared.
+Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business, as it can lead to unexpected results. If you mix GPO and CSP policy settings, the conflicting CSP settings aren't applied until the group policy settings are cleared.
 > [!IMPORTANT]
 > The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
`@ -1046,4 +1046,4 @@ Use the following procedures to verify that the PoC environment is configured pr`

	`## Next steps`	`## Next steps`

	`[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)`	`- [Windows 10 deployment scenarios](windows-deployment-scenarios.md).`