Merge branch 'public' of https://github.com/cmknox/windows-itpro-docs into public

2025-05-14 06:17:22 +00:00 · 2021-09-16 14:09:05 -06:00 · 2021-09-16 14:09:05 -06:00 · 32dd02becd
commit 32dd02becd
parent bf1f2ab0cf 45a28a229c
38 changed files with 2306 additions and 189 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -1,5 +1,10 @@
 {
  "redirections": [
    {
      "source_path": "windows/configuration/customize-the-start-menu-layout-on-windows-11.md",
      "redirect_url": "/windows/configuration/customize-start-menu-layout-windows-11",
      "redirect_document_id": false  
    },
    {
      "source_path": "windows/application-management/msix-app-packaging-tool.md",
      "redirect_url": "/windows/application-management/apps-in-windows-10",
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@ -121,6 +121,8 @@ ms.date: 10/08/2020
 - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr)
 - [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff)
 - [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy)
 - [ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist)
 - [ADMX_DCOM/DCOMActivationSecurityCheckExemptionList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist)
 - [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter)
 - [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder)
 - [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit)
@ -150,6 +152,8 @@ ms.date: 10/08/2020
 - [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose)
 - [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving)
 - [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper)
 - [ADMX_DeviceCompat/DeviceFlags](./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags)
 - [ADMX_DeviceCompat/DriverShims](./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims)
 - [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall)
 - [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext)
 - [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext)
@ -158,6 +162,7 @@ ms.date: 10/08/2020
 - [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny)
 - [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore)
 - [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser)
 - [ADMX_DeviceGuard/ConfigCIPolicy](./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy)
 - [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips)
 - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
 - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
@ -185,6 +190,7 @@ ms.date: 10/08/2020
 - [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones)
 - [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution)
 - [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast)
 - [ADMX_DFS/DFSDiscoverDC](./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc)
 - [ADMX_DWM/DwmDefaultColorizationColor_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1)
 - [ADMX_DWM/DwmDefaultColorizationColor_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2)
 - [ADMX_DWM/DwmDisallowAnimations_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1)
@ -203,6 +209,7 @@ ms.date: 10/08/2020
 - [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate)
 - [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers)
 - [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport)
 - [ADMX_EventLogging/EnableProtectedEventLogging](./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging)
 - [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove)
 - [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices)
 - [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos)
@ -262,11 +269,17 @@ ms.date: 10/08/2020
 - [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2)
 - [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3)
 - [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4)
 - [ADMX_EventViewer/EventViewer_RedirectionProgram](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram)
 - [ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters)
 - [ADMX_EventViewer/EventViewer_RedirectionURL](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl)
 - [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl)
 - [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu)
 - [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit)
 - [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder)
 - [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations)
 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate)
 - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep)
 - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher)
 - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
 - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
 - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
@ -278,6 +291,7 @@ ms.date: 10/08/2020
 - [ADMX_FileSys/SymlinkEvaluation](./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation)
 - [ADMX_FileSys/TxfDeprecatedFunctionality](./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality)
 - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
 - [ADMX_FileRevocation/DelegatedPackageFamilyNames](./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames)
 - [ADMX_FolderRedirection/DisableFRAdminPin](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin)
 - [ADMX_FolderRedirection/DisableFRAdminPinByFolder](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder)
 - [ADMX_FolderRedirection/FolderRedirectionEnableCacheRename](./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename)
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -555,7 +555,18 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
-### ADMX_Desktop policies  
+### ADMX_DCOM policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist" id="admx-dcom-dcomactivationsecuritycheckallowlocallist">ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList</a>
  </dd>
  <dd>
    <a href="./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist" id="admx-dcom-dcomactivationsecuritycheckexemptionlist">ADMX_DCOM/DCOMActivationSecurityCheckExemptionList</a>
  </dd>
 </dl>
 ### ADMX_Desktop policies
 <dl>
  <dd>
@ -647,6 +658,24 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_DeviceCompat policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags" id="#admx-devicecompat-deviceflags">ADMX_DeviceCompat/DeviceFlags</a>
  </dd>
  <dd>
    <a href="./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims" id="#admx-devicecompat-drivershims">ADMX_DeviceCompat/DriverShims</a>
  </dd>
 <dl>
 ### ADMX_DeviceGuard policies
 <dd>
    <a href="./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy" id="admx-deviceguard-configcipolicy">ADMX_DeviceGuard/ConfigCIPolicy</a>
  </dd>
 <dl>
 ### ADMX_DeviceInstallation policies  
 <dl>
@ -687,9 +716,19 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
-### ADMX_DigitalLocker policies
+### ADMX_DFS policies
-<dl>
+
 </dl>
  <dd>
    <a href="./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc"id="admx-devicesetup-
 dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  </dd>
 </dl>
 ### ADMX_DigitalLocker policies
 </dl>  
 <dd>
    <a href="./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1" id="admx-digitallocker-digitalx-diableapplication-titletext-1">ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1</a>
  </dd>
  <dd>
@ -697,6 +736,17 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_DiskDiagnostic policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-diskdiagnostic.md#admx-diskdiagnostic-dfdalertpolicy" id="admx-diskdiagnostic-dfdalertpolicy">ADMX_DiskDiagnostic/DfdAlertPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-admx-diskdiagnostic.md#admx-diskdiagnostic-wdiscenarioexecutionpolicy" id="admx-diskdiagnostic-wdiscenarioexecutionpolicy">ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy</a>
  </dd>
 </dl>
 ### ADMX_DistributedLinkTracking policies  
 <dl>
@ -705,6 +755,7 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_DnsClient policies
 <dl>
@ -777,7 +828,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 </dl>
 ### ADMX_DWM policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1" id="admx-dwm-dwmdefaultcolorizationcolor-1">ADMX_DWM/DwmDefaultColorizationColor_1</a>
@ -847,6 +897,13 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_EventLogging policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging" id="admx-eventlogging-enableprotectedeventlogging">ADMX_EventLogging/EnableProtectedEventLogging</a>
  </dd>
 </dl>
 ### ADMX_EnhancedStorage policies  
 <dl>
@ -1041,6 +1098,19 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_EventViewer policies  
 <dl>
  <dd>
    <a href="./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram" id="admx-eventviewer-eventviewer_redirectionprogram">ADMX_EventViewer/EventViewer_RedirectionProgram</a>
  </dd>
  <dd>
    <a href="./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters" id="admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters">ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters</a>
  </dd>
  <dd>
    <a href="./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl" id="admx-eventviewer-eventviewer_redirectionurl">ADMX_EventViewer/EventViewer_RedirectionURL</a>
  <dd>
 ### ADMX_Explorer policies  
 <dl>
@ -1061,6 +1131,19 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_ExternalBoot policies  
 <dl>
  <dd>
    <a href="./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate" id="admx-externalboot-portableoperatingsystem_hibernate">ADMX_ExternalBoot/PortableOperatingSystem_Hibernate</a>
  </dd>
    <a href="./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep" id="admx-externalboot-portableoperatingsystem_sleep">ADMX_ExternalBoot/PortableOperatingSystem_Sleep</a>
  </dd>
  </dd>
    <a href="./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher" id="admx-externalboot-portableoperatingsystem_launcher">ADMX_ExternalBoot/PortableOperatingSystem_Launcher</a>
  </dd>
 <dl>
 ### ADMX_FileRecovery policies
 <dl>
  <dd>
@ -1068,6 +1151,13 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_FileRevocation policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames" id="admx-filerevocation-delegatedpackagefamilynames">ADMX_FileRevocation/DelegatedPackageFamilyNames</a>
  </dd>
 </dl>
 ### ADMX_FileServerVSSProvider policies
 <dl>
  <dd>
--- a/windows/client-management/mdm/policy-csp-admx-dcom.md
+++ b/windows/client-management/mdm/policy-csp-admx-dcom.md
@ -0,0 +1,212 @@
 ---
 title: Policy CSP - ADMX_DCOM
 description: Policy CSP - ADMX_DCOM
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 09/08/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_DCOM
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_DCOM policies  
 <dl>
  <dd>
    <a href="#admx-dcom-dcomactivationsecuritycheckallowlocallist">ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList</a>
  </dd>
  <dd>
    <a href="#admx-dcom-dcomactivationsecuritycheckexemptionlist">ADMX_DCOM/DCOMActivationSecurityCheckExemptionList</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-dcom-dcomactivationsecuritycheckallowlocallist"></a>**ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.
 - If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
 - If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list.  
 If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured.
 > [!NOTE]
 > This policy setting applies to all sites in Trusted zones.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow local activation security check exemptions*
 -   GP name: *DCOMActivationSecurityCheckAllowLocalList*
 -   GP path: *Windows Components\AppCompat!AllowLocalActivationSecurityCheckExemptionList*
 -   GP ADMX file name: *DCOM.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-dcom-dcomactivationsecuritycheckexemptionlist"></a>**ADMX_DCOM/DCOMActivationSecurityCheckExemptionList**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting allows you to view and change a list of DCOM server application IDs (appids), which are exempted from the DCOM Activation security check.  
 DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.  
 DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. 
 DCOM server application IDs added to this policy must be listed in curly brace format.
 For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
 If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors.  
 - If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. 
 If you add an application ID to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server.   
 If you add an application ID to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local 
 settings.  
 - If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.  
 If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used.  Notes:  The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.   
 This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults.  If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.  
 The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid.  
 DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.  
 > [!NOTE]
 > Exemptions for DCOM Server Application IDs added to this list will apply to both 32-bit and 64-bit versions of the server if present.
 > 
 > [!NOTE]
 > This policy setting applies to all sites in Trusted zones.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow local activation security check exemptions*
 -   GP name: *DCOMActivationSecurityCheckExemptionList*
 -   GP path: *Windows Components\AppCompat!ListBox_Support_ActivationSecurityCheckExemptionList*
 -   GP ADMX file name: *DCOM.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 > [!NOTE]
 > These policies are currently only available as part of a Windows Insider release.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
@ -0,0 +1,175 @@
 ---
 title: Policy CSP - ADMX_DeviceCompat
 description: Policy CSP - ADMX_DeviceCompat
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 08/09/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_DeviceCompat
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_DeviceCompat policies  
 <dl>
  <dd>
    <a href="#admx-devicecompat-deviceflags">ADMX_DeviceCompat/DeviceFlags</a>
  </dd>
  <dd>
    <a href="#admx-devicecompat-drivershims">ADMX_DeviceCompat/DriverShims</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-devicecompat-deviceflags"></a>**ADMX_DeviceCompat/DeviceFlags**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Changes behavior of Microsoft bus drivers to work with specific devices.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Device compatibility settings*
 -   GP name: *DeviceFlags*
 -   GP path: *Windows Components\Device and Driver Compatibility*
 -   GP ADMX file name: *DeviceCompat.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-devicecompat-drivershims"></a>**ADMX_DeviceCompat/DriverShims**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions.		
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Driver compatibility settings*
 -   GP name: *DriverShims*
 -   GP path: *Windows Components\Device and Driver Compatibility*
 -   GP ADMX file name: *DeviceCompat.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
@ -0,0 +1,119 @@
 ---
 title: Policy CSP - ADMX_DeviceGuard
 description: Policy CSP - ADMX_DeviceGuard
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.date: 09/08/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_DeviceGuard
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_DeviceGuard policies  
 <dl>
  <dd>
    <a href="#admx-deviceguard-configcipolicy">ADMX_DeviceGuard/ConfigCIPolicy</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-deviceguard-configcipolicy"></a>**ADMX_DeviceGuard/ConfigCIPolicy**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine.  
 If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. 
 To enable this policy the machine must be rebooted.  
 The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`),
 or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`. 
 The local machine account (LOCAL SYSTEM) must have access permission to the policy file.    
 If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:  
 1. First update the policy to a non-protected policy and then disable the setting.  
 2. Disable the setting and then remove the policy from each computer, with a physically present user.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Deploy Windows Defender Application Control*
 -   GP name: *ConfigCIPolicy*
 -   GP path: *Windows Components/DeviceGuard!DeployConfigCIPolicy*
 -   GP ADMX file name: *DeviceGuard.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 > [!NOTE]
 > These policies are currently only available as part of a Windows Insider release.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-dfs.md
+++ b/windows/client-management/mdm/policy-csp-admx-dfs.md
@ -0,0 +1,118 @@
 ---
 title: Policy CSP - ADMX_DFS
 description: Policy CSP - ADMX_DFS
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 09/08/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_DFS
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_DFS policies 
 <dl>
  <dd>
    <a href="#admx-dfs-dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-dfs-dfsdiscoverdc"></a>**ADMX_DFS/DFSDiscoverDC**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. 
 By default, a DFS client attempts to discover domain controllers every 15 minutes.  
 - If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. 
 This value is specified in minutes.  
 - If you disable or do not configure this policy setting, the default value of 15 minutes applies.  
 > [!NOTE]
 > The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure how often a DFS client discovers domain controllers*
 -   GP name: *DFSDiscoverDC*
 -   GP path: *Windows Components\ActiveX Installer Service*
 -   GP ADMX file name: *DFS.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 > [!NOTE]
 > These policies are currently only available as part of a Windows Insider release.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@ -0,0 +1,204 @@
 ---
 title: Policy CSP - ADMX_DiskDiagnostic
 description: Policy CSP - ADMX_DiskDiagnostic
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 09/08/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_DiskDiagnostic
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_DiskDiagnostic policies  
 <dl>
  <dd>
    <a href="#admx-diskdiagnostic-dfdalertpolicy">ADMX_DiskDiagnostic/DfdAlertPolicy</a>
  </dd>
  <dd>
    <a href="#admx-diskdiagnostic-wdiscenarioexecutionpolicy">ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-diskdiagnostic-dfdalertpolicy"></a>**ADMX_DiskDiagnostic/DfdAlertPolicy**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
 - If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
 - If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. 
 No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. 
 This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. 
 The DPS can be configured with the Services snap-in to the Microsoft Management Console.
 > [!NOTE]
 > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure custom alert text*
 -   GP name: *DfdAlertPolicy*
 -   GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
 -   GP ADMX file name: *DiskDiagnostic.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-diskdiagnostic-wdiscenarioexecutionpolicy"></a>**ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. 
 Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
 - If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.  
 - If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. 
 - If you do not configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.  
 No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. 
 This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. 
 > [!NOTE]
 > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure execution level*
 -   GP name: *WdiScenarioExecutionPolicy*
 -   GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
 -   GP ADMX file name: *DiskDiagnostic.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 > [!NOTE]
 > These policies are for upcoming release.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
@ -0,0 +1,114 @@
 ---
 title: Policy CSP - ADMX_EventLogging
 description: Policy CSP - ADMX_EventLogging
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 09/12/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_EventLogging
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_EventLogging policies  
 <dl>
  <dd>
    <a href="#admx-eventlogging-enableprotectedeventlogging">ADMX_EventLogging/EnableProtectedEventLogging</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-eventlogging-enableprotectedeventlogging"></a>**ADMX_EventLogging/EnableProtectedEventLogging**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting lets you configure Protected Event Logging.  
 - If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. 
 You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, provided that you have access to the private key corresponding to the public key that they were encrypted with.  
 - If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Protected Event Logging*
 -   GP name: *EnableProtectedEventLogging*
 -   GP path: *Windows Components\Event Logging*
 -   GP ADMX file name: *EventLogging.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 > [!NOTE]
 > These policies are currently only available as part of a Windows Insider release.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
@ -0,0 +1,256 @@
 ---
 title: Policy CSP - ADMX_EventViewer
 description: Policy CSP - ADMX_EventViewer
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 09/13/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_EventViewer
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_EventViewer policies  
 <dl>
  <dd>
    <a href="#admx-eventviewer-eventviewer_redirectionprogram">ADMX_EventViewer/EventViewer_RedirectionProgram</a>
  </dd>
  <dd>
    <a href="#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters">ADMX_EventViewer_RedirectionProgramCommandLineParameters</a>
  </dd>
  <dd>
    <a href="#admx-eventviewer-eventviewer_redirectionurl">ADMX_EventViewer/EventViewer_RedirectionURL</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-eventviewer-eventviewer_redirectionprogram"></a>**ADMX_EventViewer/EventViewer_RedirectionProgram**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This is the program that will be invoked when the user clicks the `events.asp` link.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Events.asp program*
 -   GP name: *EventViewer_RedirectionProgram*
 -   GP path: *Windows Components\Event Viewer*
 -   GP ADMX file name: *EventViewer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters"></a>**ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This specifies the command line parameters that will be passed to the `events.asp` program.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Events.asp program command line parameters*
 -   GP name: *EventViewer_RedirectionProgramCommandLineParameters*
 -   GP path: *Windows Components\Event Viewer*
 -   GP ADMX file name: *EventViewer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-eventviewer-eventviewer_redirectionurl"></a>**ADMX_EventViewer/EventViewer_RedirectionURL**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This is the URL that will be passed to the Description area in the Event Properties dialog box. 
 Change this value if you want to use a different Web server to handle event information requests.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Events.asp URL*
 -   GP name: *EventViewer_RedirectionURL*
 -   GP path: *Windows Components\Event Viewer*
 -   GP ADMX file name: *EventViewer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-externalboot.md
+++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md
@ -0,0 +1,274 @@
 ---
 title: Policy CSP - ADMX_ExternalBoot
 description: Policy CSP - ADMX_ExternalBoot
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.localizationpriority: medium
 ms.date: 09/13/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_ExternalBoot
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## Policy CSP - ADMX_ExternalBoot  
 <dl>
  <dd>
    <a href="#admx-externalboot-portableoperatingsystem_hibernate">ADMX_ExternalBoot/PortableOperatingSystem_Hibernate
    </a>
  </dd>
  <dd>
    <a href="#admx-externalboot-portableoperatingsystem_sleep">ADMX_ExternalBoot/PortableOperatingSystem_Sleep
    </a>
  </dd>
  <dd>
    <a href="#admx-externalboot-portableoperatingsystem_launcher">ADMX_ExternalBoot/PortableOperatingSystem_Launcher
    </a>
  </dd>
 <dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-externalboot-portableoperatingsystem_hibernate"></a>**ADMX_ExternalBoot/PortableOperatingSystem_Hibernate**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace.  
 - If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC.  
 - If you disable or do not configure this setting, Windows, when started from a Windows To Go workspace, and cannot hibernate the PC.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow hibernate (S4) when starting from a Windows To Go workspace*
 -   GP name: *PortableOperatingSystem_Hibernate*
 -   GP path: *Windows Components\Portable Operating System*
 -   GP ADMX file name: *ExternalBoot.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-externalboot-portableoperatingsystem_sleep"></a>**ADMX_ExternalBoot/PortableOperatingSystem_Sleep**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace.  
 If you enable this setting, Windows, when started from a Windows To Go workspace, cannot use standby states to make the PC sleep.  
 If you disable or do not configure this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace*
 -   GP name: *PortableOperatingSystem_Sleep*
 -   GP path: *Windows Components\Portable Operating System*
 -   GP ADMX file name: *ExternalBoot.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-externalboot-portableoperatingsystem_launcher"></a>**ADMX_ExternalBoot/PortableOperatingSystem_Launcher**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item.  
 - If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item.  
 - If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration.  
 If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Windows To Go Default Startup Options*
 -   GP name: *PortableOperatingSystem_Launcher*
 -   GP path: *Windows Components\Portable Operating System*
 -   GP ADMX file name: *ExternalBoot.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@ -0,0 +1,115 @@
 ---
 title: Policy CSP - ADMX_FileRevocation
 description: Policy CSP - ADMX_FileRevocation
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 09/13/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_FileRevocation
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 <dl>
  <dd>
    <a href="#admx-filerevocation-delegatedpackagefamilynames">ADMX_FileRevocation/DelegatedPackageFamilyNames</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-filerevocation-delegatedpackagefamilynames"></a>**ADMX_FileRevocation/DelegatedPackageFamilyNames**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 <!--/Scope-->
 <!--Description-->
 Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format.   
 Example value: `Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy` 
 - If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.    
 - If you disable or do not configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app.  
 Any other Windows Runtime application will only be able to revoke access to content it protected.  
 > [!NOTE]
 > Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of `mail.contoso.com` will revoke the user’s access to all content protected under the contoso.com hierarchy.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow Windows Runtime apps to revoke enterprise data.*
 -   GP name: *DelegatedPackageFamilyNames*
 -   GP path: *Windows Components\File Revocation*
 -   GP ADMX file name: *FileRevocation.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 > [!NOTE]
 > These policies are currently only available as part of a Windows Insider release.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@ -27,6 +27,9 @@ manager: dansimp
  <dd>
    <a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
  </dd>
  <dd>
    <a href="#kerberos-pkinithashalgorithmconfiguration">Kerberos/PKInitHashAlgorithmConfiguration</a>
  </dd>
  <dd>
    <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
  </dd>
@ -50,28 +53,34 @@ manager: dansimp
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
@ -120,28 +129,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
@ -183,34 +198,124 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-pkinithashalgorithmconfiguration"></a>**Kerberos/PKInitHashAlgorithmConfiguration**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
 If you enable this policy, you will be able to configure one of four states for each algorithm:
 * **Default**: This sets the algorithm to the recommended state.
 * **Supported**: This enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 * **Audited**: This enables usage of the algorithm and reports an event (ID 205) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.
 * **Not Supported**: This disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 If you disable or do not configure this policy, each algorithm will assume the **Default** state.
 More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
@ -233,7 +338,8 @@ Warning: When a domain does not support Kerberos armoring by enabling "Support D
 If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. 
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. 
+> [!NOTE]
 > The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. 
 If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
@ -263,28 +369,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
@ -333,28 +445,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
@ -379,7 +497,8 @@ If you enable this policy setting, the Kerberos client or server uses the config
 If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. 
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+> [!NOTE]
 > This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
 <!--/Description-->
 > [!TIP]
@ -407,28 +526,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@ -439,12 +439,20 @@ items:
              href: policy-csp-admx-ctrlaltdel.md
            - name: ADMX_DataCollection
              href: policy-csp-admx-datacollection.md
            - name: ADMX_DCOM
              href: policy-csp-admx-dcom.md
            - name: ADMX_Desktop
              href: policy-csp-admx-desktop.md
            - name: ADMX_DeviceCompat
              href: policy-csp-admx-devicecompat.md
            - name: ADMX_DeviceGuard
              href: policy-csp-admx-deviceguard.md   
            - name: ADMX_DeviceInstallation
              href: policy-csp-admx-deviceinstallation.md
            - name: ADMX_DeviceSetup
              href: policy-csp-admx-devicesetup.md
            - name: ADMX_DFS
              href: policy-csp-admx-dfs.md
            - name: ADMX_DigitalLocker
              href: policy-csp-admx-digitallocker.md
            - name: ADMX_DistributedLinkTracking
@ -457,6 +465,8 @@ items:
              href: policy-csp-admx-eaime.md
            - name: ADMX_EncryptFilesonMove
              href: policy-csp-admx-encryptfilesonmove.md
            - name: ADMX_EventLogging
              href: policy-csp-admx-eventlogging.md  
            - name: ADMX_EnhancedStorage
              href: policy-csp-admx-enhancedstorage.md
            - name: ADMX_ErrorReporting
@ -465,10 +475,16 @@ items:
              href: policy-csp-admx-eventforwarding.md
            - name: ADMX_EventLog
              href: policy-csp-admx-eventlog.md
            - name: ADMX_EventViewer
              href: policy-csp-admx-eventviewer.md  
            - name: ADMX_Explorer
              href: policy-csp-admx-explorer.md
            - name: ADMX_ExternalBoot
              href: policy-csp-admx-externalboot.md  
            - name: ADMX_FileRecovery
              href: policy-csp-admx-filerecovery.md
            - name: ADMX_FileRevocation
              href: policy-csp-admx-filerevocation.md  
            - name: ADMX_FileServerVSSProvider
              href: policy-csp-admx-fileservervssprovider.md
            - name: ADMX_FileSys
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@ -2,6 +2,12 @@
  href: index.yml
 - name: Customize the appearance
  items:
    - name: Windows 11
      items:
        - name: Start menu layout
          href: customize-start-menu-layout-windows-11.md
        - name: Supported Start menu CSPs
          href: supported-csp-start-menu-layout-windows.md
    - name: Windows 10 Start and taskbar
      items:
        - name: Start layout and taskbar
@ -58,7 +64,7 @@
      href: set-up-shared-or-guest-pc.md
    - name: Set up a kiosk on Windows 10 Mobile 
      href: mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md 
-    - name: Additional kiosk reference information
+    - name: Kiosk reference information
      items:
        - name: More kiosk methods and reference information
          href: kiosk-additional-reference.md
@ -123,7 +129,7 @@
          href: cortana-at-work/cortana-at-work-testing-scenarios.md
        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
          href: cortana-at-work/cortana-at-work-scenario-1.md
-        - name: Test scenario 2 - Perform a Bing search with Cortana
+        - name: Test scenario 2 - Run a Bing search with Cortana
          href: cortana-at-work/cortana-at-work-scenario-2.md
        - name: Test scenario 3 - Set a reminder
          href: cortana-at-work/cortana-at-work-scenario-3.md
@ -131,9 +137,9 @@
          href: cortana-at-work/cortana-at-work-scenario-4.md
        - name: Test scenario 5 - Find out about a person
          href: cortana-at-work/cortana-at-work-scenario-5.md
-        - name: Test scenario 6 - Change your language and perform a quick search with Cortana
+        - name: Test scenario 6 - Change your language and run a quick search with Cortana
          href: cortana-at-work/cortana-at-work-scenario-6.md
-    - name: Send feedback about Cortana back to Microsoftr
+    - name: Send feedback about Cortana back to Microsoft
      href: cortana-at-work/cortana-at-work-feedback.md
    - name: Testing scenarios using Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
      items:
@ -143,13 +149,13 @@
          href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
          href: cortana-at-work/test-scenario-1.md
-        - name: Test scenario 2 - Perform a quick search with Cortana at work
+        - name: Test scenario 2 - Run a quick search with Cortana at work
          href: cortana-at-work/test-scenario-2.md
        - name: Test scenario 3 - Set a reminder for a specific location using Cortana at work
          href: cortana-at-work/test-scenario-3.md
        - name: Test scenario 4 - Use Cortana at work to find your upcoming meetings
          href: cortana-at-work/test-scenario-4.md
-        - name: Test scenario 5 - Use Cortana to send email to a co-worker
+        - name: Test scenario 5 - Use Cortana to send email to a coworker
          href: cortana-at-work/test-scenario-5.md
        - name: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
          href: cortana-at-work/test-scenario-6.md
@ -335,7 +341,7 @@
              href: ue-v/uev-deploy-uev-for-custom-applications.md
        - name: Administer UE-V
          items:
-            - name: UE-V administion guide
+            - name: UE-V administration guide
              href: ue-v/uev-administering-uev.md
            - name: Manage Configurations for UE-V
              items:
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@ -0,0 +1,169 @@
 ---
 title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
 description: Export Start layout to LayoutModification.json with pinned apps, add or remove pinned apps, and use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
 ms.assetid: 
 manager: dougeby
 ms.author: mandia
 ms.reviewer: ericpapa
 ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: mobile
 author: MandiOhlinger
 ms.date: 09/14/2021
 ms.localizationpriority: medium
 ---
 # Customize the Start menu layout on Windows 11
 **Applies to**:
 - Windows 11
 > **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
 Your organization can deploy a customized Start layout to your Windows 11 devices. Customizing the Start layout is common when you have similar devices used by many users, or you want to pin specific apps.
 For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more.
 To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
 This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune MDM policy.
 ## Before you begin
 - When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. You can't prevent users from changing the layout.
 - It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
  In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
  - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
  - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
  - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 ## Start menu features and areas
 In Windows 11, the Start menu is redesigned with a simplified set of apps that are arranged in a grid of pages. There aren't folders, groups, or different-sized app icons:
 :::image type="content" source="./images/customize-start-menu-layout-windows-11/start-menu-layout.png" alt-text="Sample start menu layout on Windows 11 devices that shows pinned apps, access to all apps, and shows recommended files.":::
 Start has the following areas:
 - **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default.
  This article shows you how to use the **ConfigureStartPins** policy.
 - **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. You can use the `Start/ShowOrHideMostUsedApps` CSP, which is a policy to configure the "Most used" section at the top of the all apps list.
 - **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. To prevent files from showing in this section, you can use the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists). This CSP also hides recent files that show from the taskbar.
  You can use an MDM provider, like Microsoft Intune, to manage the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) on your devices. For more information on the Start menu settings you can configure in a Microsoft Intune policy, see [Windows 10 (and later) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
 ## Create the JSON file
 On an existing Windows 11 device, set up your own Start layout with the pinned apps you want users to see. Then, use the [Windows PowerShell Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet to export the existing layout to a `LayoutModification.json` file.
 The JSON file controls the Start menu layout, and lists all the apps that are pinned. You can update the JSON file to:
 - Change the order of existing apps. The apps in the JSON file are shown on Start in the same order.
 - Add more apps by entering the app ID. For more information, see [Get the pinnedList JSON](#get-the-pinnedlist-json) (in this article).
 If you're familiar with creating JSON files, you can create your own `LayoutModification.json` file. But, it's easier and faster to export the layout from an existing device.
 ### Export an existing Start layout
 1. Create a folder to save the `.json` file. For example, create the `C:\Layouts` folder.
 2. On a Windows 11 device, open the Windows PowerShell app.
 3. Run the following cmdlet. Name the file `LayoutModification.json`.
    ```powershell
    Export-StartLayout -Path "C:\Layouts\LayoutModification.json" 
    ```
 ### Get the pinnedList JSON
 1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad. For more information, see [edit JSON with Visual Studio Code](https://code.visualstudio.com/docs/languages/json).
 2. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section.
    In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned:
    ```json
    { 
      "pinnedList": [ 
        { "desktopAppId": "MSEdge" }, 
        { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, 
        { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, 
        { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } 
      ] 
    } 
    ```
 3. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys:
    ---
    | Key | Description |
    | --- | --- |
    | packagedAppID | Use this option for Universal Windows Platform apps. To pin a UWP app, use the app's AUMID.|
    | desktopAppID | Use this option for unpackaged Win32 apps. To pin a Win32 app, use the app's AUMID. If the app doesn't have an AUMID, then enter the `desktopAppLink` instead. |
    | desktopAppLink | Use this option for unpackaged Win32 apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. |
 ## Use MDM to create and deploy a pinned list policy
 Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization.
 MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD).  Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
 This section shows you how to create a pinned list policy in Microsoft Intune. There isn't a Group Policy to create a pinned list.
 ### Create a pinned list using a Microsoft Intune policy
 To deploy this policy in Microsoft Intune, the devices must be enrolled in Microsoft Intune, and managed by your organization. For more information, see [What is device enrollment in Intune?](/mem/intune/enrollment/device-enrollment).
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
    - **Platform**: Select **Windows 10 and later**.
    - **Profile**: Select **Templates** > **Custom**.
 4. Select **Create**.
 5. In **Basics**, enter the following properties:
    - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is **Win11: Custom Start layout**.
    - **Description**: Enter a description for the profile. This setting is optional, and recommended.
 6. Select **Next**.
 7. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties:
    - **Name**: Enter something like **Configure Start pins**.
    - **Description**: Enter a description for the row. This setting is optional, and recommended.
    - **OMA-URI**: Enter `./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins`.
    - **Data type**: Select **String**.
    - **Value**: Paste the JSON you created or updated in the previous section. For example, enter the following text:
      ```json
      { 
        "pinnedList": [ 
          { "desktopAppId": "MSEdge" }, 
          { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, 
          { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, 
          { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } 
        ] 
      } 
      ```
    Your settings look similar to the following settings:
    :::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList":::
 8. Select **Save** > **Next** to save your changes.
 9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
 The Windows OS has many CSPs that apply to the Start menu. Using an MDM provider, like Intune, you can use these CSPs to customize Start even more. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
 ### Deploy the policy using Microsoft Intune
 When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed before users sign in the first time.
 For more information on assigning policies using Microsoft Intune, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
--- a/windows/configuration/images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png
+++ b/windows/configuration/images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png
--- a/windows/configuration/images/customize-start-menu-layout-windows-11/start-menu-layout.png
+++ b/windows/configuration/images/customize-start-menu-layout-windows-11/start-menu-layout.png
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@ -1,6 +1,6 @@
 ---
-title: Provisioning packages (Windows 10)
+title: Provisioning packages (Windows)
-description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
 ms.reviewer: 
 manager: dansimp
@ -11,37 +11,38 @@ author: greg-lindsay
 ms.author: greglin
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/07/2021
 ---
-# Provisioning packages for Windows 10
+# Provisioning packages for Windows
 **Applies to**
 - Windows 10
- Windows 10 Mobile
+- Windows 11
 Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
-A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10 and 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
-The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). 
+<!-- The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages.--> 
 Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). 
-## New in Windows 10, version 1703
+<!--## New in Windows 10, version 1703-->
- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only.
+<!-- - The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Configuration Designer (WCD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only. -->
- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Microsoft Store.
+<!-- - Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Microsoft Store. -->
- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions.
+<!-- - Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions. -->
- The  Provision desktop devices wizard (previously called Simple provisioning) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning.
+<!-- - The  Provision desktop devices wizard (previously called Simple provisioning) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning. -->
- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. 
+<!-- - When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. -->
- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.
+<!-- - Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.-->
- The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store.
+<!-- - The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store. -->
 <!-- Provisioning packages can be made available [using NFC and barcodes](provisioning-nfc.md).--> 
@ -75,16 +76,27 @@ Provisioning packages can be:
 The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
-<table><tr><td align="left"><strong>Step</strong></td><td align="left"><strong>Description</strong></td><td><strong>Desktop wizard</strong></td><td align="center"><strong>Mobile wizard</strong></td><td><strong>Kiosk wizard</strong></td><td><strong>HoloLens wizard</strong></td></tr>
+<table><tr><td align="left"><strong>Step</strong></td><td align="left"><strong>Description</strong></td><td><strong>Desktop wizard</strong></td><td><strong>Kiosk wizard</strong></td><td><strong>HoloLens wizard</strong></td></tr>
-<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></br>(Only device name and upgrade key)</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
+<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
-<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
+<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
-<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
+<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="no1"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
-<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td></tr>
+<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no5"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no4"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no2"/></td></tr>
-<tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td></tr>
+<tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no3"/></td></tr>
-<tr><td valign="top">Add certificates</td><td valign="top">Include a certificate file in the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
+<tr><td valign="top">Add certificates</td><td valign="top">Include a certificate file in the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr>
-<tr><td valign="top">Configure kiosk account and app</td><td valign="top">Create local account to run the kiosk mode app,</br>specify the app to run in kiosk mode</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td></tr>
+<tr><td valign="top">Configure kiosk account and app</td><td valign="top">Create local account to run the kiosk mode app,</br>specify the app to run in kiosk mode</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no6"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no7"/></td></tr>
-<tr><td valign="top">Configure kiosk common settings</td><td valign="top">Set tablet mode,</br>configure welcome and shutdown screens,</br>turn off timeout settings</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td></tr>
+<tr><td valign="top">Configure kiosk common settings</td><td valign="top">Set tablet mode,</br>configure welcome and shutdown screens,</br>turn off timeout settings</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no8"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no9"/></td></tr>
-<tr><td valign="top">Developer Setup</td><td valign="top">Enable Developer Mode.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr></table>
+<tr><td valign="top">Developer Setup</td><td valign="top">Enable Developer Mode.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no22"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no11"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr></table>
 <!-- <table><tr><td align="left"><strong>Step</strong></td><td align="left"><strong>Description</strong></td><td><strong>Desktop wizard</strong></td><td align="center"><strong>Mobile wizard</strong></td><td><strong>Kiosk wizard</strong></td><td><strong>HoloLens wizard</strong></td></tr> -->
 <!-- <tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></br>(Only device name and upgrade key)</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
 <!-- <tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
 <!-- <tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no33"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
 <!-- <tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no44"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no66"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no55"/></td></tr> -->
 <!-- <tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no77"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no88"/></td></tr> -->
 <!-- <tr><td valign="top">Add certificates</td><td valign="top">Include a certificate file in the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no99"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
 <!-- <tr><td valign="top">Configure kiosk account and app</td><td valign="top">Create local account to run the kiosk mode app,</br>specify the app to run in kiosk mode</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no00"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no111"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no222"/></td></tr> -->
 <!-- <tr><td valign="top">Configure kiosk common settings</td><td valign="top">Set tablet mode,</br>configure welcome and shutdown screens,</br>turn off timeout settings</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no333"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no555"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no666"/></td></tr> -->
 <!-- <tr><td valign="top">Developer Setup</td><td valign="top">Enable Developer Mode.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="n777o"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no444"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no888"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr></table> -->
 - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
@ -117,32 +129,32 @@ The following table provides some examples of settings that you can configure us
 For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-## Changes to provisioning in Windows 10, version 1607
+<!-- ## Changes to provisioning in Windows 10, version 1607 -->
-> [!NOTE]
+<!-- > [!NOTE] -->
-> This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703.
+<!-- > This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703. -->
-Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. 
+WCD, simplified common provisioning scenarios. 
 ![Configuration Designer options.](../images/icd.png)
-Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
+WCD supports the following scenarios for IT administrators:
-* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
-[Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+[Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md)
-* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
-* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: 
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use WCD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: 
    * Microsoft Intune (certificate-based enrollment) 
    * AirWatch (password-string based enrollment) 
    * Mobile Iron (password-string based enrollment) 
    * Other MDMs (cert-based enrollment) 
-> [!NOTE]
+<!--  > [!NOTE] -->
-> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](/education/windows/).
+<!--  > Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](/education/windows/). -->
 ## Learn more
@ -164,4 +176,4 @@ For more information about provisioning, watch the following videos:
 - [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
 - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](../mobile-devices/provisioning-configure-mobile.md)
+- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](../mobile-devices/provisioning-configure-mobile.md)
--- a/windows/configuration/supported-csp-start-menu-layout-windows.md
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@ -0,0 +1,62 @@
 ---
 title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs
 description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu.
 ms.assetid: 
 manager: dougeby
 ms.author: mandia
 ms.reviewer: ericpapa
 ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: mobile
 author: MandiOhlinger
 ms.date: 09/13/2021
 ms.localizationpriority: medium
 ---
 # Supported configuration service provider (CSP) policies for Windows 11 Start menu
 **Applies to**:
 - Windows 11
 The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
 This article lists the CSPs that are available to customize the Start menu for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
 For information on customizing the Start menu layout using policy, see [Customize the Start menu layout on Windows 11](customize-start-menu-layout-windows-11.md).
 ## Existing Windows CSP policies that Windows 11 supports
 - [Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments)
 - [Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer)
 - [Start/AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup)
 - [Start/AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup)
 - [Start/AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic)
 - [Start/AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork)
 - [Start/AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder)
 - [Start/AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures)
 - [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings)
 - [Start/AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos)
 - [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings)
 - [Start/HideHibernate](/windows/client-management/mdm/policy-csp-start#start-hidehibernate)
 - [Start/HideLock](/windows/client-management/mdm/policy-csp-start#start-hidelock)
 - [Start/HidePowerButton](/windows/client-management/mdm/policy-csp-start#start-hidepowerbutton)
 - [Start/HideRestart](/windows/client-management/mdm/policy-csp-start#start-hiderestart)
 - [Start/HideShutDown](/windows/client-management/mdm/policy-csp-start#start-hideshutdown)
 - [Start/HideSignOut](/windows/client-management/mdm/policy-csp-start#start-hidesignout)
 - [Start/HideSleep](/windows/client-management/mdm/policy-csp-start#start-hidesleep)
 - [Start/HideSwitchAccount](/windows/client-management/mdm/policy-csp-start#start-hideswitchaccount)
 - [Start/HideUserTile](/windows/client-management/mdm/policy-csp-start#start-hideusertile)
 - [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
 - [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
 - **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 11. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored.
  The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.
 ## Existing CSP policies that Windows 11 doesn't support
 - [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
 - [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
 - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
 - [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@ -8,7 +8,7 @@ ms.sitesec: library
 audience: itpro
 author: greg-lindsay
 ms.author: greglin
-manager: laurawi
+manager: dougeby
 ms.topic: article
 ---
 # Windows 10 features we’re no longer developing
@ -26,6 +26,7 @@ The features described below are no longer being actively developed, and might b
 |Feature    |  Details and mitigation  | Announced in version |
 | ----------- | --------------------- | ---- |
 | BitLocker To Go Reader | Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files  | 21H1 |
 | Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
 | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
 | Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@ -43,7 +43,7 @@ Domain-joined device certificate authentication has the following requirements:
 -   All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
    -   KDC EKU present
    -   DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
-   Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+-   Windows devices have the CA issuing the domain controller certificates in the enterprise store.
 -   A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
 #### Deploying domain-joined device certificates
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@ -1,6 +1,6 @@
 ---
-title: Advice while using Windows Defender Credential Guard (Windows 10)
+title: Advice while using Windows Defender Credential Guard (Windows)
-description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10.
+description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,8 +19,10 @@ ms.reviewer:
 # Considerations when using Windows Defender Credential Guard
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
@ -79,7 +81,7 @@ If you must clear the TPM on a domain-joined device without connectivity to doma
 Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
-|Credential Type | Windows 10 version | Behavior
+|Credential Type | Windows version | Behavior
 |---|---|---|
 | Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
 | Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@ -19,19 +19,21 @@ ms.reviewer:
 # How Windows Defender Credential Guard works
 **Applies to**  
- Windows 10  
+- Windows 10
- Windows Server 2016  
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Windows Defender Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
 When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
-Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
+Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
 ![Windows Defender Credential Guard overview.](images/credguard.png)  
@ -39,4 +41,4 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 **Related videos**
-[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
+[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard - Known issues (Windows 10)
+title: Windows Defender Credential Guard - Known issues (Windows)
-description: Windows Defender Credential Guard - Known issues in Windows 10 Enterprise
+description: Windows Defender Credential Guard - Known issues in Windows Enterprise
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,9 +19,10 @@ ms.reviewer:
 # Windows Defender Credential Guard: Known issues 
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
-   Windows Server 2019
+- Windows Server 2016
 - Windows Server 2019
 Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
@ -51,12 +52,12 @@ The following known issue has been fixed in the [Cumulative Security Update for
 The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
    This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
@ -69,30 +70,30 @@ The following known issues have been fixed by servicing releases made available
 The following issue affects the Java GSS API. See the following Oracle bug database article: 
- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
+- [JDK-8161921: Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+When Windows Defender Credential Guard is enabled on Windows, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
 The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows 10 computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
+- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
 *Registration required to access this article. 
 The following issue affects McAfee Application and Change Control (MACC):
- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
+- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
 The following issue affects AppSense Environment Manager.
  For further information, see the following Knowledge Base article:
- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
+- [Installing AppSense Environment Manager on Windows machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
 The following issue affects Citrix applications:
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
+- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
-<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
+<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016 or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
+- [KB4032786 High CPU usage in the LSAISO process on Windows](https://support.microsoft.com/help/4032786)
 For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes)
@ -107,21 +108,21 @@ See the following article on Citrix support for Secure Boot:
 Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
- For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
+- For Windows Defender Credential Guard on Windows with McAfee Encryption products, see:
-  [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+  [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+- For Windows Defender Credential Guard on Windows with Check Point Endpoint Security Client, see:
-  [Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+  [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
+- For Windows Defender Credential Guard on Windows with VMWare Workstation
-  [Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+  [Windows host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+- For Windows Defender Credential Guard on Windows with specific versions of the Lenovo ThinkPad
-  [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+  [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
+- For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection
-  [Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+  [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
-  This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
+  This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
  Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -1,5 +1,5 @@
 ---
-title: Manage Windows Defender Credential Guard (Windows 10)
+title: Manage Windows Defender Credential Guard (Windows)
 description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
 ms.prod: w10
 ms.mktglfcycl: explore
@ -21,9 +21,10 @@ ms.custom:
 # Manage Windows Defender Credential Guard
 **Applies to**
-   Windows 10 Enterprise or Education SKUs
+- Windows 10
-   Windows Server 2016
+- Windows 11
-   Windows Server 2019
+- Windows Server 2016
 - Windows Server 2019
 ## Enable Windows Defender Credential Guard
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard protection limits & mitigations (Windows 10)
+title: Windows Defender Credential Guard protection limits & mitigations (Windows)
-description: Scenarios not protected by Windows Defender Credential Guard in Windows 10, and additional mitigations you can use.
+description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,8 +19,10 @@ ms.reviewer:
 # Windows Defender Credential Guard protection limits and mitigations
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 in the Deep Dive into Windows Defender Credential Guard video series.
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard protection limits (Windows 10)
+title: Windows Defender Credential Guard protection limits (Windows)
-description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows 10. Learn more with this guide.
+description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,8 +19,10 @@ ms.reviewer:
 # Windows Defender Credential Guard protection limits
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -1,5 +1,5 @@
 ---
-title: Windows Defender Credential Guard Requirements (Windows 10)
+title: Windows Defender Credential Guard Requirements (Windows)
 description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
 ms.prod: w10
 ms.mktglfcycl: explore
@ -20,8 +20,10 @@ ms.reviewer:
 ## Applies to
- Windows 10 Enterprise
+- Windows 10
- Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@ -102,7 +104,7 @@ The following tables describe baseline protections, plus protections for improve
 |Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: </br> - Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
+|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
 > [!IMPORTANT]
 > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@ -1,6 +1,6 @@
 ---
-title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10)
+title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
-description:  Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows 10.
+description:  Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@ -1,5 +1,5 @@
 ---
-title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
+title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
 description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
 ms.reviewer: 
@ -20,8 +20,10 @@ ms.date: 08/17/2017
 # Protect derived domain credentials with Windows Defender Credential Guard
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@ -18,7 +18,10 @@ ms.reviewer:
 # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 **Applies to:**
- Windows 10 Enterprise Edition
+- Windows 10
 - Windows 11
 - Windows Server 2016
 - Windows Server 2019
 ```powershell
 # Script to find out if a machine is Device Guard compliant.
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@ -21,13 +21,12 @@ ms.reviewer:
 -   Windows 10
 -   Windows 11
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots)
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
 Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
-This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
+This feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
 For Thunderbolt DMA protection on earlier Windows versions and platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf).
 ## Background
@ -36,19 +35,19 @@ The DMA capability is what makes PCI devices the highest performing devices avai
 These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 
 Access to these devices required the user to turn off power to the system and disassemble the chassis. 
-Today, this is no longer the case with hot plug PCIe ports (e.g., Thunderbolt™ and CFexpress). 
+Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). 
-Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. 
+Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. 
 It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 
 Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
 Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC. 
-A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
+A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, an attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
 ## How Windows protects against DMA drive-by attacks
 Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). 
-Peripherals with [DMA Remapping compatible drivers](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. 
+Peripherals with [DMA Remapping compatible drivers](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions. 
 By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies).
@ -62,7 +61,7 @@ The peripheral will continue to function normally if the user locks the screen o
 ## System compatibility
 Kernel DMA Protection requires new UEFI firmware support. 
-This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
+This support is anticipated only on newly introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
 To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32). 
 Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
@ -111,8 +110,8 @@ In-market systems, released with Windows 10 version 1709 or earlier, will not su
 No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 
 ### How can I check if a certain driver supports DMA-remapping?
-DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
+DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
-Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
+Check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 ![Kernel DMA protection user experience.](images/device_details_tab_1903.png)
@ -120,9 +119,9 @@ Please check the driver instance for the device you are testing. Some drivers ma
 ![Kernel DMA protection user experience.](images/device-details-tab.png)
-### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
+### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
-If the peripherals do have class drivers provided by Windows, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
+If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
 ### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
@ -131,13 +130,13 @@ Yes. DMA remapping for a specific device can be turned on independent from Kerne
 Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
 ### Do Microsoft drivers support DMA-remapping?
-In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping.
+In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers, and Storage NVMe Controllers support DMA Remapping.
 ### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
 No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping.
 ### How can an enterprise enable the External device enumeration policy?
-The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
+The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
 The policy can be enabled by using: 
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@ -21,7 +21,7 @@ ms.technology: mde
 -   Windows Server 2016
-<img src="images/event-4768.png" alt="Event 4768 illustration" width="554" height="659" hspace="10" align="left" />
+:::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png":::
 ***Subcategory:***&nbsp;[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
@ -35,12 +35,13 @@ If TGT issue fails then you will see Failure event with **Result Code** field no
 This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
 > For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 <br clear="all">
 ***Event XML:***
-```
+```xml
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 - <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
@ -101,7 +102,8 @@ This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “
    -   Uppercase full domain name: CONTOSO.LOCAL
-> **Note**&nbsp;&nbsp;A **Kerberos Realm** is a set of managed nodes that share the same Kerberos database. The Kerberos database resides on the Kerberos master computer system, which should be kept in a physically secure room. Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
+    > [!NOTE]
    > A **Kerberos Realm** is a set of managed nodes that share the same Kerberos database. The Kerberos database resides on the Kerberos master computer system, which should be kept in a physically secure room. Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
 -   **User ID** \[Type = SID\]**:** SID of account for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
@ -109,7 +111,8 @@ This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “
    -   **NULL SID** – this value shows in [4768](event-4768.md) Failure events.
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+    > [!NOTE]
    > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
 **Service Information:**
@ -149,7 +152,10 @@ This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “
    -   Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
-> **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
+> [!NOTE]
 > In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
 > 
 > <img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
 The most common values:
@ -185,9 +191,10 @@ The most common values:
 | 30    | Renew                    | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                                                                                                                                                  |
 | 31    | Validate                 | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-> Table 2. Kerberos ticket flags.
+## Table 2. Kerberos ticket flags
-> 
+
-> **Note**&nbsp;&nbsp;[KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
+> [!NOTE]
 > [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
 -   **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event.
@ -252,12 +259,15 @@ The most common values:
 | 0x43                                                       | KRB\_AP\_ERR\_NO\_TGT                  | No TGT was presented or available                                           | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | 0x44                                                       | KDC\_ERR\_WRONG\_REALM                 | Incorrect domain or principal                                               | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS.                                                                                                                                                                                                                                                                                                                                                                                                                           |
-> <span id="_Ref432868145" class="anchor"></span>Table 3. TGT/TGS issue error codes.
+<span id="_Ref432868145" class="anchor"></span>
 ## Table 3. TGT/TGS issue error codes
 -   **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT.
 <span id="kerberos-encryption-types" />
 ## Table 4. Kerberos encryption types
 | Type | Type Name               | Description                                                                       |
@ -274,7 +284,8 @@ The most common values:
 -   **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type which was used in TGT request.
 <span id="kerberos-preauthentication-types" />
-## Table 5. Kerberos Pre-Authentication types.
+
 ## Table 5. Kerberos Pre-Authentication types
 | Type | Type Name              | Description                                                                                                                                                                                                                                                                                                                                                                                                      |
 |------------------------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@ -301,7 +312,7 @@ The most common values:
 For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                             |
+| Type of monitoring required | Recommendation |
 |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
@ -310,7 +321,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location.                                                   |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**User ID”** for names that don’t comply with naming conventions.                                                                                     |
-   You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
+-   You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP address range or not from private IP address ranges.
 -   If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allowlist, generate the alert.
@ -320,7 +331,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
 -   Also consider monitoring the fields shown in the following table, to discover the issues listed:
-| **Field**                   | **Issue to discover**                                                                                                                                                                                                                                                                                                                                   |
+| Field | Issue to discover |
 |-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **Certificate Issuer Name** | Certification authority name is not from your PKI.                                                                                                                                                                                                                                                                                       |
 | **Certificate Issuer Name** | Certification authority name is not authorized to issue smart card authentication certificates.                                                                                                                                                                                                                                                         |
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@ -37,6 +37,7 @@ The Security Compliance Toolkit consists of:
    - Windows 10, Version 1507
 - Windows Server security baselines
    - Windows Server 2022
    - Windows Server 2019
    - Windows Server 2016
    - Windows Server 2012 R2
@ -45,7 +46,7 @@ The Security Compliance Toolkit consists of:
    - Microsoft 365 Apps for enterprise, Version 2104
 - Microsoft Edge security baseline
-    - Version 92
+    - Version 93
 - Windows Update security baseline
    - Windows 10 20H2 and below (October 2020 Update)
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -40,6 +40,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - bash.exe
 - bginfo.exe<sup>1</sup>
 - cdb.exe
 - cscript.exe
 - csi.exe
 - dbghost.exe
 - dbgsvc.exe
@ -69,6 +70,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - wfc.exe
 - windbg.exe
 - wmic.exe
 - wscript.exe
 - wsl.exe
 - wslconfig.exe
 - wslhost.exe
@ -149,7 +151,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
  <Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0"/> 
  <Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
  <Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
-  <Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+  <Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion = "10.0.0.0" />
  <Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0"/> 
  <Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0"/>
  <Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535"/> 
@ -179,7 +181,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
  <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
  <Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
-  <Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe"  FileName="wscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+  <Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe"  FileName="wscript.exe" MinimumFileVersion = "10.0.0.0" />
  <Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@ -10,7 +10,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 04/30/2018
+ms.date: 09/13/2021
 ms.reviewer: 
 manager: dansimp
 ms.technology: mde
@ -36,8 +36,6 @@ You can add information about your organization in a contact card to the Windows
 This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
 ![A security center notification.](images/security-center-custom-notif.png)
 Users can select the displayed information to initiate a support request:
 - Select **Call** or the phone number to open Skype to start a call to the displayed number.
@ -60,7 +58,7 @@ This can only be done in Group Policy.
 3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or slect one or the other:
+4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
    1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@ -76,4 +74,4 @@ This can only be done in Group Policy.
 7. Select **OK** after you configure each setting to save your changes.
 >[!IMPORTANT]
->You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
+>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
--- a/windows/whats-new/windows-11.md
+++ b/windows/whats-new/windows-11.md
@ -89,3 +89,5 @@ When Windows 11 reaches general availability, important servicing-related announ
 ## Also see
 [What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)<br>
 [Windows 11 Security — Our Hacker-in-Chief Runs Attacks and Shows Solutions](https://www.youtube.com/watch?v=2RTwGNyhSy8)<br>
 [Windows 11: The Optimization and Performance Improvements](https://www.youtube.com/watch?v=oIYHRRTCVy4)