Merge branch 'public' into kk-wdac-edits-add-hta-info-to-select-types-doc

2025-05-14 06:17:22 +00:00 · 2021-06-28 09:17:36 -07:00 · 2021-06-28 09:17:36 -07:00 · 4f60d82f3d
commit 4f60d82f3d
parent d2ad0329ef 72ed30329e
57 changed files with 1596 additions and 907 deletions
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@ -129,20 +129,6 @@
      "build_entry_point": "docs",
      "template_folder": "_themes"
    },
    {
      "docset_name": "SV",
      "build_source_folder": "windows/sv",
      "build_output_subfolder": "SV",
      "locale": "en-us",
      "monikers": [],
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "Conceptual": "Content"
      },
      "build_entry_point": "docs",
      "template_folder": "_themes"
    },
    {
      "docset_name": "win-access-protection",
      "build_source_folder": "windows/access-protection",
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -18919,6 +18919,11 @@
      "source_path": "windows/security/threat-protection/device-control/device-control-report.md",
      "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report",
      "redirect_document_id": false
    }, 
    {
      "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md",
      "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows",
      "redirect_document_id": false
    }        
 	    ]
 }
--- a/browsers/internet-explorer/TOC.yml
+++ b/browsers/internet-explorer/TOC.yml
@ -356,6 +356,6 @@
    - name: KB Troubleshoot
      items: 
        - name: Internet Explorer and Microsoft Edge FAQ for IT Pros
-          href: kb-support/ie-edge-faqs.md
+          href: kb-support/ie-edge-faqs.yml
 - name: Microsoft Edge and Internet Explorer troubleshooting
  href: /troubleshoot/browsers/welcome-browsers
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@ -1,220 +0,0 @@
 ---
 title: IE and Microsoft Edge FAQ for IT Pros
 description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. 
 audience: ITPro
 manager: msmets
 author: ramakoni1
 ms.author: ramakoni
 ms.reviewer: ramakoni, DEV_Triage
 ms.prod: internet-explorer
 ms.technology:
 ms.topic: kb-support
 ms.custom: CI=111020
 ms.localizationpriority: medium
 ms.date: 01/23/2020
 ---
 # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
 ## Cookie-related questions
 ### What is a cookie?
 An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
 ### How does Internet Explorer handle cookies?
 For more information about how Internet Explorer handles cookies, see the following articles:
 - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
 - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
 - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
 - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
 - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
 ### Where does Internet Explorer store cookies?
 To see where Internet Explorer stores its cookies, follow these steps:
 1. Start File Explorer.
 2. Select **Views** \> **Change folder and search options**.
 3. In the **Folder Options** dialog box, select **View**.
 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
 5. Clear **Hide protected operation system files (Recommended)**.
 6. Select **Apply**.
 7. Select **OK**.
 The following are the folder locations where the cookies are stored:
 **In Windows 10**  
 C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
 **In Windows 8 and Windows 8.1**  
 C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
 **In Windows 7**  
 C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies  
 C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
 ### What is the per-domain cookie limit?
 Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
 There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
 The JavaScript limitation was updated to 10 KB from 4 KB.
 For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
 #### Additional information about cookie limits
 **What does the Cookie RFC allow?**  
 RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
 - At least 300 cookies total
 - At least 20 cookies per unique host or domain name
 For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
 ### Cookie size limit per domain
 Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
 ## Proxy Auto Configuration (PAC)-related questions
 ### Is an example Proxy Auto Configuration (PAC) file available?
 Here is a simple PAC file:
 ```vb
 function FindProxyForURL(url, host)
 {
 return "PROXY proxyserver:portnumber";
 }
 ```
 > [!NOTE]
 > The previous PAC always returns the **proxyserver:portnumber** proxy.
 For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
 **Third-party information disclaimer**  
 The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
 ### How to improve performance by using PAC scripts
 - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr)
 - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/)
 ## Other questions
 ### How to set home and start pages in Microsoft Edge and allow user editing
 For more information, see the following blog article:
 [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/)
 ### How to add sites to the Enterprise Mode (EMIE) site list
 For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
 ### What is Content Security Policy (CSP)?
 By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
 Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
 CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
 For more information, see the following articles:
 - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
 - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
 ### Where to find Internet Explorer security zones registry entries
 Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
 This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
 The default Zone Keys are stored in the following locations:
 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
 ### Why don't HTML5 videos play in Internet Explorer 11?
 To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
 - 0 (the default value): Allow
 - 3: Disallow
 This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
 For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
 For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
 For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
 ### What is the Enterprise Mode Site List Portal?
 This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
 ### What is Enterprise Mode Feature?
 For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
 ### Where can I obtain a list of HTTP Status codes?
 For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
 ### What is end of support for Internet Explorer 11?
 Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
 For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
 ### How to configure TLS (SSL) for Internet Explorer
 For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
 ### What is Site to Zone?
 Site to Zone usually refers to one of the following:
 **Site to Zone Assignment List**  
 This is a Group Policy policy setting that can be used to add sites to the various security zones.
 The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
 - Intranet zone
 - Trusted Sites zone
 - Internet zone
 - Restricted Sites zone
 If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
 **Site to Zone Mapping**  
 Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
 - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
 **Site to Zone Assignment List policy**  
 This policy setting is available for both Computer Configuration and User Configuration:
 - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
 - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
 **References**  
 [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
 ### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
 For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
 ### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
 The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
 For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
@ -0,0 +1,245 @@
 ### YamlMime:FAQ
 metadata:
  title: IE and Microsoft Edge FAQ for IT Pros
  description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. 
  audience: ITPro
  manager: msmets
  author: ramakoni1
  ms.author: ramakoni
  ms.reviewer: ramakoni, DEV_Triage
  ms.prod: internet-explorer
  ms.technology:
  ms.topic: kb-support
  ms.custom: CI=111020
  ms.localizationpriority: medium
  ms.date: 01/23/2020
 title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
 summary: |
 sections:
  - name: Cookie-related questions
    questions:
      - question: |
          What is a cookie?
        answer: |
          An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
      - question: |
          How does Internet Explorer handle cookies?
        answer: |
          For more information about how Internet Explorer handles cookies, see the following articles:
          - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
          - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
          - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
          - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
          - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
      - question: |
          Where does Internet Explorer store cookies?
        answer: |
          To see where Internet Explorer stores its cookies, follow these steps:
          1. Start File Explorer.
          2. Select **Views** \> **Change folder and search options**.
          3. In the **Folder Options** dialog box, select **View**.
          4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
          5. Clear **Hide protected operation system files (Recommended)**.
          6. Select **Apply**.
          7. Select **OK**.
          The following are the folder locations where the cookies are stored:
          **In Windows 10**  
          C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
          **In Windows 8 and Windows 8.1**  
          C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
          **In Windows 7**  
          C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies  
          C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
      - question: |
          What is the per-domain cookie limit?
        answer: |
          Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
          There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
          The JavaScript limitation was updated to 10 KB from 4 KB.
          For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
  - name: Additional information about cookie limits
    questions:
      - question: |
          What does the Cookie RFC allow?
        answer: |
          RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
          - At least 300 cookies total
          - At least 20 cookies per unique host or domain name
          For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
      - question: |
          Cookie size limit per domain
        answer: |
          Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
  - name: Proxy Auto Configuration (PAC)-related questions
    questions:
      - question: |
          Is an example Proxy Auto Configuration (PAC) file available?
        answer: |
          Here is a simple PAC file:
          ```vb
          function FindProxyForURL(url, host)
          {
           return "PROXY proxyserver:portnumber";
          }
          ```
          > [!NOTE]
          > The previous PAC always returns the **proxyserver:portnumber** proxy.
          For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
          **Third-party information disclaimer**  
          The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
      - question: |
          How to improve performance by using PAC scripts
        answer: |
          - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490)
          - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance)
  - name: Other questions
    questions:
      - question: |
          How to set home and start pages in Microsoft Edge and allow user editing
        answer: |
          For more information, see the following blog article:
          [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6)
      - question: |
          How to add sites to the Enterprise Mode (EMIE) site list
        answer: |
          For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
      - question: |
          What is Content Security Policy (CSP)?
        answer: |
          By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
          Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
          CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
          For more information, see the following articles:
          - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
          - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
      - question: |
          Where to find Internet Explorer security zones registry entries
        answer: |
          Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
          This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
          The default Zone Keys are stored in the following locations:
          - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
          - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
      - question: |
          Why don't HTML5 videos play in Internet Explorer 11?
        answer: |
          To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
          - 0 (the default value): Allow
          - 3: Disallow
          This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
          For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
          For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
          For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
      - question: |
          What is the Enterprise Mode Site List Portal?
        answer: |
          This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
      - question: |
          What is Enterprise Mode Feature?
        answer: |
          For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
      - question: |
          Where can I obtain a list of HTTP Status codes?
        answer: |
          For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
      - question: |
          What is end of support for Internet Explorer 11?
        answer: |
          Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
          For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
      - question: |
          How to configure TLS (SSL) for Internet Explorer
        answer: |
          For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
      - question: |
          What is Site to Zone?
        answer: |
          Site to Zone usually refers to one of the following:
          **Site to Zone Assignment List**  
          This is a Group Policy policy setting that can be used to add sites to the various security zones.
          The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
          - Intranet zone
          - Trusted Sites zone
          - Internet zone
          - Restricted Sites zone
          If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
          **Site to Zone Mapping**  
          Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
          - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
          - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
          **Site to Zone Assignment List policy**  
          This policy setting is available for both Computer Configuration and User Configuration:
          - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
          - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
          **References**  
          [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
      - question: |
          What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
        answer: |
          For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
      - question: |
          What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
        answer: |
          The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
          For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r
 metadata:
  title: Windows application management  # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+  description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.subservice: subservice
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -71,7 +71,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -97,7 +97,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -123,7 +123,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -149,7 +149,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -201,7 +201,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -227,7 +227,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -253,7 +253,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -305,7 +305,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -331,7 +331,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -358,7 +358,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
@ -384,7 +384,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -410,7 +410,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -436,7 +436,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -462,7 +462,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -514,7 +514,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -540,7 +540,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -566,7 +566,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -592,7 +592,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -618,7 +618,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -644,7 +644,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -670,7 +670,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -722,7 +722,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -748,7 +748,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -774,7 +774,6 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -802,7 +801,6 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -829,7 +827,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -882,7 +880,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -934,7 +932,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -960,7 +958,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1012,7 +1010,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1037,9 +1035,9 @@ Additional lists:
 </tr>
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" />
-<a href="https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management#integration-with-windows-information-protection">Only for mobile application management (MAM)</td>
+<a href="https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management#integration-with-windows-information-protection"><sup>A<sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1065,10 +1063,9 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
@ -1092,7 +1089,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1118,7 +1115,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1144,7 +1141,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1168,7 +1165,7 @@ Additional lists:
 	<th>Mobile</th>
 </tr>
 <tr>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
@ -1196,10 +1193,10 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
 </tr>
 </table>
@ -1248,7 +1245,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1274,7 +1271,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1300,7 +1297,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1378,7 +1375,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1404,7 +1401,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1482,7 +1479,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1534,7 +1531,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1560,7 +1557,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1586,7 +1583,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1638,7 +1635,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1664,7 +1661,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1688,12 +1685,12 @@ Additional lists:
 	<th>Mobile</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
 </tr>
 </table>
@ -1716,7 +1713,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1742,7 +1739,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1768,7 +1765,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1794,7 +1791,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1820,7 +1817,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1846,7 +1843,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1872,7 +1869,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1898,7 +1895,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1924,7 +1921,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1950,7 +1947,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -1976,7 +1973,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2002,7 +1999,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2028,7 +2025,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2159,7 +2156,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2185,7 +2182,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2211,7 +2208,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2237,7 +2234,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2290,7 +2287,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2316,7 +2313,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2368,7 +2365,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2421,7 +2418,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2447,7 +2444,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2503,7 +2500,6 @@ Additional lists:
 	<td></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 </tr>
 </table>
@ -2555,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices:
 [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
 | [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
 | [RemoteFind CSP](remotefind-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [RemoteWipe CSP](remotewipe-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
 | [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
 | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
 | [Update CSP](update-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
@ -2627,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:
 <hr>
 Footnotes:
 - A - Only for mobile application management (MAM).
 - B - Provisioning only.
 - 1 - Added in Windows 10, version 1607.
 - 2 - Added in Windows 10, version 1703.
 - 3 - Added in Windows 10, version 1709.
@ -2635,5 +2633,6 @@ The following list shows the CSPs supported in HoloLens devices:
 - 6 - Added in Windows 10, version 1903.
 - 7 - Added in Windows 10, version 1909.
 - 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
+- 9 - Added in Windows 10 Team 2020 Update.
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
+- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2).
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -10,7 +10,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 06/02/2021
+ms.date: 06/23/2021
 ---
 # Defender CSP
@ -59,6 +59,9 @@ Defender
 --------TamperProtection (Added in Windows 10, version 1903)
 --------EnableFileHashComputation (Added in Windows 10, version 1903)
 --------SupportLogLocation (Added in the next major release of Windows 10)
 --------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 --------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 --------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 ----Scan
 ----UpdateSignature
 ----OfflineScan (Added in Windows 10 version 1803)
@ -518,9 +521,75 @@ When enabled or disabled exists on the client and admin moves the setting to not
 More details:  
- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)  
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)  
 - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)  
 <a href="" id="configuration-supportloglocation"></a>**Configuration/PlatformUpdatesChannel**
 Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
 Valid values are:
 - 0: Not configured (Default)
 - 1: Beta Channel - Prerelease
 - 2: Current Channel (Preview)
 - 3: Current Channel (Staged)
 - 4: Current Channel (Broad)
 <a href="" id="configuration-supportloglocation"></a>**Configuration/EngineUpdatesChannel**
 Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
 Valid values are:
 - 0 - Not configured (Default)
 - 1 - Beta Channel - Prerelease
 - 2 - Current Channel (Preview)
 - 3 - Current Channel (Staged)
 - 4 - Current Channel (Broad)
 <a href="" id="configuration-supportloglocation"></a>**Configuration/SignaturesUpdatesChannel** 
 Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
 Valid Values are:
 - 0: Not configured (Default)
 - 3: Current Channel (Staged)
 - 4: Current Channel (Broad)
 <a href="" id="scan"></a>**Scan**  
 Node that can be used to start a Windows Defender scan on a device.
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -128,7 +128,7 @@ Requirements:
    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
    > 
    > The default behavior for older releases is to revert to **User Credential**.
-    > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
+    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
 Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
 The following shows the EnterpriseDesktopAppManagement CSP in tree format.
 ```
 ./Device/Vendor/MSFT
 EnterpriseDesktopAppManagement
@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement
 --------UpgradeCode
 ------------Guid
 ```
 <a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
 The root node for the EnterpriseDesktopAppManagement configuration service provider.
@ -194,15 +196,15 @@ The following table describes the fields in the previous sample:
 The following table describes the fields in the previous sample:
-| Name   | Description                                                                                                                                                |
+| Name   | Description |
-|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|--------|-----------------------|
-| Get    | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.                                 |
+| Get    | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
-| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response.                              |
+| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
 | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
-**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.**
+**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.1">
@ -292,7 +294,8 @@ The following table describes the fields in the previous sample:
-> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at <https://technet.microsoft.com/library/cc759262(v=ws.10).aspx>.
+> [!Note]
 > Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
@ -401,7 +404,7 @@ The following table MsiInstallJob describes the schema elements.
 <td>Command-line options to be used when calling MSIEXEC.exe</td>
 </tr>
 <tr class="even">
-<td>Timeout</td>
+<td>TimeOut</td>
 <td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
 </tr>
 <tr class="odd">
@ -550,21 +553,18 @@ Here's a list of references:
 ```xml
 <Alert>
-       <CmdID>4</CmdID>
+   <CmdID>4</CmdID>
-       <Data>1224</Data>
+   <Data>1224</Data>
-       <Item>
+   <Item>
-          <Source>
+      <Source>
-             <LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
+         <LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
-          </Source>
+      </Source>
-          <Meta>
+      <Meta>
-             <Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
+         <Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
-             <Format xmlns="syncml:metinf">int</Format>
+         <Format xmlns="syncml:metinf">int</Format>
-             <Mark xmlns="syncml:metinf">informational</Mark>
+         <Mark xmlns="syncml:metinf">informational</Mark>
-          </Meta>
+      </Meta>
-          <Data>0</Data>
+      <Data>0</Data>
-       </Item>
+   </Item>
 </Alert>
 ```
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report
 - [HealthStatusMismatchFlags](#healthstatusmismatchflags)
 \*  TPM 2.0 only   
-**  Reports if Bitlocker was enabled during initial boot.    
+\*\*  Reports if BitLocker was enabled during initial boot.    
-*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.  
+\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.  
 Each of these are described in further detail in the following sections, along with the recommended actions to take.
@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w
 -   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-<a href="" id="bitlockerstatus"></a>**BitlockerStatus** (at boot time) 
+<a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time) 
-<p style="margin-left: 20px">When Bitlocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.</p>
+<p style="margin-left: 20px">When BitLocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.</p>
 <p style="margin-left: 20px">Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.</p>
@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as enabling VSM using WMI or a Powershell script.  
+-   Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.  
 <a href="" id="oskerneldebuggingenabled"></a>**OSKernelDebuggingEnabled**
 <p style="margin-left: 20px">OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.</p>
@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as enabling test signing using WMI or a Powershell script.
+-   Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
 <a href="" id="safemode"></a>**SafeMode**  
 <p style="margin-left: 20px">Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.</p>
@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@ -14,9 +14,6 @@ manager: dansimp
 # Policy CSP - LocalUsersAndGroups
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@ -719,7 +719,7 @@ ADMX Info:
 <!--/SupportedValues-->
 <!--Example-->
 Example for setting the device custom OMA-URI setting to enable this policy:  
-To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
+To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
 See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
 <!--/Example-->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -741,13 +741,13 @@ The following list shows the supported values for Windows 8.1:
 In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
-The following list shows the supported values for Windows 10 version 1809 and older:
+The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
-
+-   0 – **Off (Security)** This turns Windows diagnostic data off.  
 -   0 – (**Security**) This turns Windows diagnostic data off.  
    **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
-   1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
+-   1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
 -   2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.  
-   3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
+    **Note**:  **Enhanced** is no longer an option for Windows Holographic, version 21H1.
 -   3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
 Most restrictive value is 0.
@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps:
 -   Enable this policy setting
 -   Set the **AllowTelemetry** level:
-    - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced
+    - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1)
    - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@ -17,7 +17,7 @@ ms.date: 02/23/2018
 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
 > [!NOTE]
-> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
+> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
 The following shows the Update configuration service provider in tree format.
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
 The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
 > [!NOTE]  
 > Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
 <a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>  
 A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
@ -1600,4 +1603,3 @@ Servers
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -1,11 +1,11 @@
- name: Deploy and update Windows 10
+- name: Deploy and update Windows client
  href: index.yml
  items: 
    - name: Get started
      items: 
        - name: What's new
          href: deploy-whats-new.md
-        - name: Windows 10 deployment scenarios
+        - name: Windows client deployment scenarios
          href: windows-10-deployment-scenarios.md
        - name: What is Windows as a service?
          href: update/waas-quick-start.md
@ -33,6 +33,8 @@
    - name: Plan
      items:
        - name: Plan for Windows 11
          href: /windows/whats-new/windows-11-plan
        - name: Create a deployment plan
          href: update/create-deployment-plan.md
        - name: Define readiness criteria
@ -67,6 +69,8 @@
    - name: Prepare
      items: 
        - name: Prepare for Windows 11
          href: /windows/whats-new/windows-11-prepare
        - name: Prepare to deploy Windows 10 updates
          href: update/prepare-deploy-windows.md
        - name: Evaluate and update infrastructure
@ -96,11 +100,11 @@
    - name: Deploy
      items: 
-        - name: Deploy Windows 10
+        - name: Deploy Windows client
          items:
-            - name: Deploy Windows 10 with Autopilot
+            - name: Deploy Windows client with Autopilot
              href: windows-autopilot/index.yml
-            - name: Deploy Windows 10 with Configuration Manager
+            - name: Deploy Windows client with Configuration Manager
              items:
                - name: Deploy to a new device
                  href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@ -110,7 +114,7 @@
                  href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
                - name: In-place upgrade
                  href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
-            - name: Deploy Windows 10 with MDT
+            - name: Deploy Windows client with MDT
              items:
                - name: Deploy to a new device
                  href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -263,6 +267,8 @@
      items:
        - name: How does Windows Update work?
          href: update/how-windows-update-works.md
        - name: Windows 10 upgrade paths
          href: upgrade/windows-10-upgrade-paths.md
        - name: Deploy Windows 10 with Microsoft 365
          href: deploy-m365.md
        - name: Understanding the Unified Update Platform
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@ -1,9 +1,9 @@
 ---
-title: What's new in Windows 10 deployment
+title: What's new in Windows client deployment
 ms.reviewer: 
 manager: laurawi
 ms.author: greglin
-description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization.
+description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
 keywords: deployment, automate, tools, configure, news
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
@ -16,19 +16,25 @@ ms.topic: article
 ms.custom: seo-marvel-apr2020
 ---
-# What's new in Windows 10 deployment
+# What's new in Windows client deployment
 **Applies to:**
 - Windows 10
 - Windows 11
 ## In this topic
-This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
+This topic provides an overview of new solutions and online content related to deploying Windows client in your organization.
 - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
 ## Latest news
 Check out the following new articles about Windows 11:
 - [Overview of Windows 11](/windows/whats-new/windows-11)
 - [Plan for Windows 11](/windows/whats-new/windows-11-plan)
 - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
 [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.<br>
 The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.<br>
 New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@ -1,10 +1,10 @@
 ### YamlMime:Landing
-title: Windows 10 deployment resources and documentation # < 60 chars
+title: Windows client deployment resources and documentation # < 60 chars
-summary: Learn about deploying and keeping Windows 10 up to date.  # < 160 chars
+summary: Learn about deploying and keeping Windows client devices up to date.  # < 160 chars
 metadata:
-  title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+  title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
  description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
@ -13,7 +13,7 @@ metadata:
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  ms.date: 08/05/2020 #Required; mm/dd/yyyy format.
+  ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -40,7 +40,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Prepare to deploy Windows 10 updates
+          - text: Prepare to deploy Windows updates
            url: update/prepare-deploy-windows.md
          - text: Prepare updates using Windows Update for Business
            url: update/waas-manage-updates-wufb.md
@ -65,8 +65,10 @@ landingContent:
      - linkListType: overview
        links:
          - text: What's new in Windows deployment
-            url: windows-10-deployment-scenarios.md
+            url: deploy-whats-new.md
-          - text: Windows 10 deployment scenarios
+          - text: Windows 11 overview
            url: /windows/whats-new/windows-11.md
          - text: Windows client deployment scenarios
            url: windows-10-deployment-scenarios.md
          - text: Basics of Windows updates, channels, and tools
            url:  update/get-started-updates-channels-tools.md
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
 > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
 - Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **1**.
+- The **AllowWUfBCloudProcessing** policy is set to **8**.
 #### Set the **AllowWUfBCloudProcessing** policy
@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager:
    - Name: **AllowWUfBCloudProcessing**
    - Description: Enter a description.
    - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
-    - Data type: **String**
+    - Data type: **Integer**
-    - Value: **1**
+    - Value: **8**
 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
 7. In **Review + create**, review your settings, and then select **Create**.
 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020
 > Applies to: Windows 10
 In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
 As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
 The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file
 > [!NOTE]
 > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
 > [!NOTE]
 > Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
 ### Multiple Windows editions
 The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi
 ## How do I get started? 
-The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. 
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. 
 Today, the Update Baseline toolkit is currently only available for use with Group Policy. 
--- a/windows/hub/TOC.yml
+++ b/windows/hub/TOC.yml
@ -1,8 +1,13 @@
- name: Windows 10
+- name: Windows
  href: index.yml
  items: 
    - name: What's new
-      href: /windows/whats-new
+      expanded: true
      items:
        - name: What's new in Windows
          href: /windows/whats-new
        - name: Windows 11
          href: /windows/whats-new/windows-11
    - name: Release information
      href: /windows/release-health
    - name: Deployment
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@ -1,11 +1,11 @@
 ### YamlMime:Landing
-title: Windows 10 resources and documentation for IT Pros # < 60 chars
+title: Windows client resources and documentation for IT Pros # < 60 chars
-summary: Plan, deploy, secure, and manage devices running Windows 10.  # < 160 chars
+summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11.  # < 160 chars
 metadata:
-  title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
+  title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+  description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.subservice: subservice
@ -13,7 +13,7 @@ metadata:
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  ms.date: 10/20/2020 #Required; mm/dd/yyyy format.
+  ms.date: 06/01/2020 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -26,13 +26,17 @@ landingContent:
    linkLists:
      - linkListType: overview
        links:
          - text: Windows 11 overview
            url: /windows/whats-new/windows-11
          - text: Windows 11 requirements
            url: /windows/whats-new/windows-11-requirements
          - text: Plan for Windows 11
            url: /windows/whats-new/windows-11-plan
          - text: Prepare for Windows 11
            url: /windows/whats-new/windows-11-prepare
          - text: What's new in Windows 10, version 21H1
            url: /windows/whats-new/whats-new-windows-10-version-21H1
-          - text: What's new in Windows 10, version 20H2
+          - text: Windows release information
            url: /windows/whats-new/whats-new-windows-10-version-20H2
          - text: What's new in Windows 10, version 2004
            url: /windows/whats-new/whats-new-windows-10-version-2004
          - text: Windows 10 release information
            url:  /windows/release-health/release-information
  # Card (optional)
@ -40,7 +44,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Configure Windows 10
+          - text: Configure Windows
            url: /windows/configuration/index
          - text: Accessibility information for IT Pros
            url: /windows/configuration/windows-10-accessibility-for-itpros
@ -54,13 +58,13 @@ landingContent:
    linkLists:
      - linkListType: deploy
        links:
-          - text: Deploy and update Windows 10
+          - text: Deploy and update Windows
            url: /windows/deployment/index
-          - text: Windows 10 deployment scenarios
+          - text: Windows deployment scenarios
            url: /windows/deployment/windows-10-deployment-scenarios
          - text: Create a deployment plan
            url: /windows/deployment/update/create-deployment-plan
-          - text: Prepare to deploy Windows 10
+          - text: Prepare to deploy Windows client
            url: /windows/deployment/update/prepare-deploy-windows
@ -69,7 +73,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Windows 10 application management
+          - text: Windows application management
            url: /windows/application-management/index
          - text: Understand the different apps included in Windows 10
            url: /windows/application-management/apps-in-windows-10
@ -83,9 +87,9 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Windows 10 client management
+          - text: Windows client management
            url: /windows/client-management/index
-          - text: Administrative tools in Windows 10
+          - text: Administrative tools 
            url: /windows/client-management/administrative-tools-in-windows-10
          - text: Create mandatory user profiles
            url: /windows/client-management/mandatory-user-profile
@ -97,7 +101,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Windows 10 Enterprise Security
+          - text: Windows Enterprise Security
            url: /windows/security/index
          - text: Windows Privacy
            url: /windows/privacy/index
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@ -0,0 +1,103 @@
 ---
 title: Azure Active Directory join cloud only deployment
 description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. 
 keywords: identity, Hello, Active Directory, cloud, 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 audience: ITPro
 author: mapalko
 ms.author: mapalko
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
 ms.date: 06/23/2021
 ms.reviewer: 
 ---
 # Azure Active Directory join cloud only deployment
 ## Introduction
 When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
 > [!NOTE]
 > During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 ## Prerequisites
 Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment).
 Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
 Check and view this setting with the following MSOnline PowerShell command:
 `Get-MsolDomainFederationSettings –DomainName <your federated domain name>`
 To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain.
 `Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
 Example:
 `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
 If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
 ## Use Intune to disable Windows Hello for Business enrollment
 We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
 However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business.
 ## Disable Windows Hello for Business using Intune Enrollment policy
 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
   When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
 > [!NOTE]
 > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
 ## Disable Windows Hello for Business enrollment without Intune
 The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s).
 Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used.
 Here are the registry settings an Intune policy would set.
 Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
 These registry settings are pushed from Intune for user policies for your reference.
 - Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\Policies`**
 - DWORD: **UsePassportForWork**
 - Value = **0** for Disable, or Value = **1** for Enable
 For your reference, these registry settings can be applied from Local or Group Policies.
 - Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`**
 - Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`**
 - DWORD: **Enabled**
 - Value = **0** for Disable or Value = **1** for Enable
 If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
 ## Related reference documents for Azure AD join scenarios
 - [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)
 - [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
 - [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
 - [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin)
 - [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
 - [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -101,6 +101,8 @@
        href: hello-cert-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-cert-trust-policy-settings.md
    - name: Azure AD join cloud only deployment
      href: hello-aad-join-cloud-only-deploy.md
    - name: Managing Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
    - name: Deploying Certificates to Key Trust Users to Enable RDP
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@ -26,12 +26,12 @@ This article depicts the BitLocker deployment comparison chart.
 ## BitLocker deployment comparison chart
-|  |Microsoft Intune  |Microsoft Endpoint Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM)* |
+|  |Microsoft Intune  |Microsoft Endpoint Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
 |---------|---------|---------|---------|
 |**Requirements**||||
 |Minimum client operating system version     |Windows 10     | Windows 10 and Windows 8.1  | Windows 7 and later        |
 |Supported Windows 10 SKUs     |    Enterprise, Pro, Education     |    Enterprise, Pro, Education     |     Enterprise    |
-|Minimum Windows 10 version     |1909**   |    None     |    None     |
+|Minimum Windows 10 version     |1909   |    None     |    None     |
 |Supported domain-joined status     |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory joined, hybrid Azure AD joined      |     Active Directory joined    |
 |Permissions required to manage policies     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
 |Cloud or on premises      |     Cloud    |  On premises     |    On premises     |
@ -47,8 +47,7 @@ This article depicts the BitLocker deployment comparison chart.
 |Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
-|Standard recovery password storage location     |     Azure AD or 
+|Standard recovery password storage location     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
 Active Directory    |     Configuration Manager site database    |    MBAM database     |
 |Store recovery password for operating system and fixed drives to Azure AD or Active Directory     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
 |Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@ -111,21 +111,20 @@ The following table defines which Windows features require TPM support.
 Windows Features | TPM Required | Supports TPM 1.2  | Supports TPM 2.0  | Details  |
 -|-|-|-|-
- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
+ Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.  
 BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
 Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
 Windows Defender Application Control (Device Guard) | No | Yes | Yes
- Windows Defender System Guard | Yes | No | Yes
+ Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
- Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
+ Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
- Device Health Attestation| Yes | Yes | Yes
+ Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
 UEFI Secure Boot | No | Yes | Yes
 TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
 Virtual Smart Card | Yes | Yes | Yes
 Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
 Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
 SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
 DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
 ## OEM Status on TPM 2.0 system availability and certified parts
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 ## Create a WIP policy
-1. Sign in to the Azure portal.
+1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
-2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**.
+2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
   ![Open Client apps](images/create-app-protection-policy.png)
@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou
 Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
 This list shouldn’t include any servers listed in your Internal proxy servers list. 
-Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
+Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
 ```console
@ -498,7 +498,7 @@ proxy.contoso.com:80;proxy2.contoso.com:443
 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
 This list shouldn’t include any servers listed in your Proxy servers list.
-Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
+Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
 ```console
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@ -21,8 +21,7 @@ ms.technology: mde
 - Windows 10
 - Windows Server 2016
-
+This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
 This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                              |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
@ -35,4 +34,3 @@ This auditing subcategory should not have any events in it, but for some reason
 -   [4985](event-4985.md)(S): The state of a transaction has changed.
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol
 You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-| Account management events |                                                                                                                                                       Description                                                                                                                                                       |
+| Account management events | Description |
-|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| :-----------------------: | :---------- |
-|            624            |                                                                                                                                               A user account was created.                                                                                                                                               |
+| 4720 | A user account was created.      |
-|            627            |                                                                                                                                              A user password was changed.                                                                                                                                               |
+| 4723 | A user password was changed.     |
-|            628            |                                                                                                                                                A user password was set.                                                                                                                                                 |
+| 4724 | A user password was set.         |
-|            630            |                                                                                                                                               A user account was deleted.                                                                                                                                               |
+| 4726 | A user account was deleted.      |
-|            631            |                                                                                                                                               A global group was created.                                                                                                                                               |
+| 4727 | A global group was created.      |
-|            632            |                                                                                                                                          A member was added to a global group.                                                                                                                                          |
+| 4728 | A member was added to a global group. |
-|            633            |                                                                                                                                        A member was removed from a global group.                                                                                                                                        |
+| 4729 | A member was removed from a global group. |
-|            634            |                                                                                                                                               A global group was deleted.                                                                                                                                               |
+| 4730 | A global group was deleted. |
-|            635            |                                                                                                                                             A new local group was created.                                                                                                                                              |
+| 4731 | A new local group was created. |
-|            636            |                                                                                                                                          A member was added to a local group.                                                                                                                                           |
+| 4732 | A member was added to a local group. |
-|            637            |                                                                                                                                        A member was removed from a local group.                                                                                                                                         |
+| 4733 | A member was removed from a local group. |
-|            638            |                                                                                                                                               A local group was deleted.                                                                                                                                                |
+| 4734 | A local group was deleted.          |
-|            639            |                                                                                                                                           A local group account was changed.                                                                                                                                            |
+| 4735 | A local group account was changed.  |
-|            641            |                                                                                                                                           A global group account was changed.                                                                                                                                           |
+| 4737 | A global group account was changed. |
-|            642            |                                                                                                                                               A user account was changed.                                                                                                                                               |
+| 4738 | A user account was changed. |
-|            643            |                                                                                                                                              A domain policy was modified.                                                                                                                                              |
+| 4739 | A domain policy was modified. |
-|            644            |                                                                                                                                             A user account was auto locked.                                                                                                                                             |
+| 4740 | A user account was auto locked. |
-|            645            |                                                                                                                                             A computer account was created.                                                                                                                                             |
+| 4741 | A computer account was created. |
-|            646            |                                                                                                                                             A computer account was changed.                                                                                                                                             |
+| 4742 | A computer account was changed. |
-|            647            |                                                                                                                                             A computer account was deleted.                                                                                                                                             |
+| 4743 | A computer account was deleted. |
-|            648            |                                                                A local security group with security disabled was created.<br>**Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.                                                                |
+| 4744 | A local security group with security disabled was created.<br> **Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
-|            649            |                                                                                                                               A local security group with security disabled was changed.                                                                                                                                |
+| 4745 | A local security group with security disabled was changed. |
-|            650            |                                                                                                                             A member was added to a security-disabled local security group.                                                                                                                             |
+| 4746 | A member was added to a security-disabled local security group. |
-|            651            |                                                                                                                           A member was removed from a security-disabled local security group.                                                                                                                           |
+| 4747 | A member was removed from a security-disabled local security group. |
-|            652            |                                                                                                                                      A security-disabled local group was deleted.                                                                                                                                       |
+| 4748 | A security-disabled local group was deleted. |
-|            653            |                                                                                                                                      A security-disabled global group was created.                                                                                                                                      |
+| 4749 | A security-disabled global group was created. |
-|            645            |                                                                                                                                      A security-disabled global group was changed.                                                                                                                                      |
+| 4750 | A security-disabled global group was changed. |
-|            655            |                                                                                                                                 A member was added to a security-disabled global group.                                                                                                                                 |
+| 4751 | A member was added to a security-disabled global group. |
-|            656            |                                                                                                                               A member was removed from a security-disabled global group.                                                                                                                               |
+| 4752 | A member was removed from a security-disabled global group. |
-|            657            |                                                                                                                                      A security-disabled global group was deleted.                                                                                                                                      |
+| 4753 | A security-disabled global group was deleted. |
-|            658            |                                                                                                                                     A security-enabled universal group was created.                                                                                                                                     |
+| 4754 | A security-enabled universal group was created. |
-|            659            |                                                                                                                                     A security-enabled universal group was changed.                                                                                                                                     |
+| 4755 | A security-enabled universal group was changed. |
-|            660            |                                                                                                                                A member was added to a security-enabled universal group.                                                                                                                                |
+| 4756 | A member was added to a security-enabled universal group. |
-|            661            |                                                                                                                              A member was removed from a security-enabled universal group.                                                                                                                              |
+| 4757 | A member was removed from a security-enabled universal group. |
-|            662            |                                                                                                                                     A security-enabled universal group was deleted.                                                                                                                                     |
+| 4758 | A security-enabled universal group was deleted. |
-|            663            |                                                                                                                                    A security-disabled universal group was created.                                                                                                                                     |
+| 4759 | A security-disabled universal group was created. |
-|            664            |                                                                                                                                    A security-disabled universal group was changed.                                                                                                                                     |
+| 4760 | A security-disabled universal group was changed. |
-|            665            |                                                                                                                               A member was added to a security-disabled universal group.                                                                                                                                |
+| 4761 | A member was added to a security-disabled universal group. |
-|            666            |                                                                                                                             A member was removed from a security-disabled universal group.                                                                                                                              |
+| 4762 | A member was removed from a security-disabled universal group. |
-|            667            |                                                                                                                                    A security-disabled universal group was deleted.                                                                                                                                     |
+| 4763 | A security-disabled universal group was deleted. |
-|            668            |                                                                                                                                                A group type was changed.                                                                                                                                                |
+| 4764 | A group type was changed. |
-|            684            |                                                                                                                            Set the security descriptor of members of administrative groups.                                                                                                                             |
+| 4780 | Set the security descriptor of members of administrative groups. |
-|            685            | Set the security descriptor of members of administrative groups.<br>**Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
+|  685 | Set the security descriptor of members of administrative groups.<br> **Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
 ## Related topics
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@ -166,13 +166,78 @@ The most common values:
 > Table 6. Kerberos ticket flags.
-   **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
+-   **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
 | Code | Code Name                      | Description                                                  | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x0         | KDC\_ERR\_NONE                            | No error                                        |
-| 0x17 | KDC\_ERR\_KEY\_EXPIRED         | Password has expired—change password to reset                | The user’s password has expired.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x1         | KDC\_ERR\_NAME\_EXP                       | Client's entry in database has expired          |
-| 0x18 | KDC\_ERR\_PREAUTH\_FAILED      | Pre-authentication information was invalid                   | The wrong password was provided.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x2         | KDC\_ERR\_SERVICE\_EXP                    | Server's entry in database has expired          |
 | 0x3         | KDC\_ERR\_BAD\_PVNO                       | Requested protocol version number not supported |
 | 0x4         | KDC\_ERR\_C\_OLD\_MAST\_KVNO              | Client's key encrypted in old master key        |
 | 0x5         | KDC\_ERR\_S\_OLD\_MAST\_KVNO              | Server's key encrypted in old master key        |
 | 0x6         | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN           | Client not found in Kerberos database           |
 | 0x7         | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN           | Server not found in Kerberos database           |
 | 0x8         | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE          | Multiple principal entries in database          |
 | 0x9         | KDC\_ERR\_NULL\_KEY                       | The client or server has a null key             |
 | 0xa         | KDC\_ERR\_CANNOT\_POSTDATE                | Ticket not eligible for postdating              |
 | 0xb         | KDC\_ERR\_NEVER\_VALID                    | Requested starttime is later than end time      |
 | 0xc         | KDC\_ERR\_POLICY                          | KDC policy rejects request                      |
 | 0xd         | KDC\_ERR\_BADOPTION                       | KDC cannot accommodate requested option         |
 | 0xe         | KDC\_ERR\_ETYPE\_NOSUPP                   | KDC has no support for encryption type          |
 | 0xf         | KDC\_ERR\_SUMTYPE\_NOSUPP                 | KDC has no support for checksum type            |
 | 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
 | 0x11         | KDC\_ERR\_TRTYPE\_NOSUPP                  | KDC has no support for transited type           |
 | 0x12         | KDC\_ERR\_CLIENT\_REVOKED                 | Clients credentials have been revoked           |
 | 0x13         | KDC\_ERR\_SERVICE\_REVOKED                | Credentials for server have been revoked        |
 | 0x14         | KDC\_ERR\_TGT\_REVOKED                    | TGT has been revoked                            |
 | 0x15         | KDC\_ERR\_CLIENT\_NOTYET                  | Client not yet valid; try again later           |
 | 0x16         | KDC\_ERR\_SERVICE\_NOTYET                 | Server not yet valid; try again later           |
 | 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user’s password has expired.
 | 0x18         | KDC\_ERR\_PREAUTH\_FAILED                 | Pre-authentication information was invalid      |The wrong password was provided.
 | 0x19         | KDC\_ERR\_PREAUTH\_REQUIRED               | Additional pre-authentication required          |
 | 0x1a         | KDC\_ERR\_SERVER\_NOMATCH                 | Requested server and ticket don't match         |
 | 0x1b         | KDC\_ERR\_MUST\_USE\_USER2USER            | Server principal valid for user2user only       |
 | 0x1c         | KDC\_ERR\_PATH\_NOT\_ACCEPTED             | KDC Policy rejects transited path               |
 | 0x1d         | KDC\_ERR\_SVC\_UNAVAILABLE                | A service is not available                      |
 | 0x1f         | KRB\_AP\_ERR\_BAD\_INTEGRITY              | Integrity check on decrypted field failed       |
 | 0x20         | KRB\_AP\_ERR\_TKT\_EXPIRED                | Ticket expired                                  |
 | 0x21         | KRB\_AP\_ERR\_TKT\_NYV                    | Ticket not yet valid                            |
 | 0x22         | KRB\_AP\_ERR\_REPEAT                      | Request is a replay                             |
 | 0x23         | KRB\_AP\_ERR\_NOT\_US                     | The ticket isn't for us                         |
 | 0x24         | KRB\_AP\_ERR\_BADMATCH                    | Ticket and authenticator don't match            |
 | 0x25         | KRB\_AP\_ERR\_SKEW                        | Clock skew too great                            |
 | 0x26         | KRB\_AP\_ERR\_BADADDR                     | Incorrect net address                           |
 | 0x27         | KRB\_AP\_ERR\_BADVERSION                  | Protocol version mismatch                       |
 | 0x28         | KRB\_AP\_ERR\_MSG\_TYPE                   | Invalid msg type                                |
 | 0x29         | KRB\_AP\_ERR\_MODIFIED                    | Message stream modified                         |
 | 0x2a         | KRB\_AP\_ERR\_BADORDER                    | Message out of order                            |
 | 0x2c         | KRB\_AP\_ERR\_BADKEYVER                   | Specified version of key is not available       |
 | 0x2d         | KRB\_AP\_ERR\_NOKEY                       | Service key not available                       |
 | 0x2e         | KRB\_AP\_ERR\_MUT\_FAIL                   | Mutual authentication failed                    |
 | 0x2f         | KRB\_AP\_ERR\_BADDIRECTION                | Incorrect message direction                     |
 | 0x30         | KRB\_AP\_ERR\_METHOD                      | Alternative authentication method required      |
 | 0x31         | KRB\_AP\_ERR\_BADSEQ                      | Incorrect sequence number in message            |
 | 0x32         | KRB\_AP\_ERR\_INAPP\_CKSUM                | Inappropriate type of checksum in message       |
 | 0x33         | KRB\_AP\_PATH\_NOT\_ACCEPTED              | Policy rejects transited path                   |
 | 0x34         | KRB\_ERR\_RESPONSE\_TOO\_BIG              | Response too big for UDP; retry with TCP        |
 | 0x3c         | KRB\_ERR\_GENERIC                         | Generic error (description in e-text)           |
 | 0x3d         | KRB\_ERR\_FIELD\_TOOLONG                  | Field is too long for this implementation       |
 | 0x3e         | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED          | Reserved for PKINIT                             |
 | 0x3f         | KDC\_ERROR\_KDC\_NOT\_TRUSTED             | Reserved for PKINIT                             |
 | 0x40         | KDC\_ERROR\_INVALID\_SIG                  | Reserved for PKINIT                             |
 | 0x41         | KDC\_ERR\_KEY\_TOO\_WEAK                  | Reserved for PKINIT                             |
 | 0x42         | KDC\_ERR\_CERTIFICATE\_MISMATCH           | Reserved for PKINIT                             |
 | 0x43         | KRB\_AP\_ERR\_NO\_TGT                     | No TGT available to validate USER-TO-USER       |
 | 0x44         | KDC\_ERR\_WRONG\_REALM                    | Reserved for future use                         |
 | 0x45         | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED    | Ticket must be for USER-TO-USER                 |
 | 0x46         | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE       | Reserved for PKINIT                             |
 | 0x47         | KDC\_ERR\_INVALID\_CERTIFICATE            | Reserved for PKINIT                             |
 | 0x48         | KDC\_ERR\_REVOKED\_CERTIFICATE            | Reserved for PKINIT                             |
 | 0x49         | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN     | Reserved for PKINIT                             |
 | 0x4a         | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT                             |
 | 0x4b         | KDC\_ERR\_CLIENT\_NAME\_MISMATCH          | Reserved for PKINIT                             |
 | 0x4c         | KDC\_ERR\_KDC\_NAME\_MISMATCH             | Reserved for PKINIT                             |                                                                   
 -   **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
 ## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
 To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
@ -12,4 +12,4 @@
    - name: Microsoft Defender Application Guard Extension
      href: md-app-guard-browser-extension.md
    - name: FAQ
-      href: faq-md-app-guard.md
+      href: faq-md-app-guard.yml
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@ -1,210 +0,0 @@
 ---
 title: FAQ - Microsoft Defender Application Guard (Windows 10)
 description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
 ms.prod: m365-security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.date: 05/12/2021
 ms.reviewer:
 manager: dansimp
 ms.custom: asr
 ms.technology: mde
 ---
 # Frequently asked questions - Microsoft Defender Application Guard
 **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
 ## Frequently Asked Questions
 ### Can I enable Application Guard on machines equipped with 4-GB RAM?
 We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
 `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
 `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
 `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
 ### Can employees download documents from the Application Guard Edge session onto host devices?
 In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
 In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
 ### Can employees copy and paste between the host device and the Application Guard Edge session?
 Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
 ### Why don't employees see their favorites in the Application Guard Edge session?
 Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
 ### Why aren’t employees able to see their extensions in the Application Guard Edge session?
 Make sure to enable the extensions policy on your Application Guard configuration.
 ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
 Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
 ### Which Input Method Editors (IME) in 19H1 are not supported?
 The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
 - Vietnam Telex keyboard
 - Vietnam number key-based keyboard
 - Hindi phonetic keyboard
 - Bangla phonetic keyboard
 - Marathi phonetic keyboard
 - Telugu phonetic keyboard
 - Tamil phonetic keyboard
 - Kannada phonetic keyboard
 - Malayalam phonetic keyboard
 - Gujarati phonetic keyboard
 - Odia phonetic keyboard
 - Punjabi phonetic keyboard
 ### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
 This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
 ### What is the WDAGUtilityAccount local account?
 WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
 **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
 We recommend that you do not modify this account.
 ### How do I trust a subdomain in my site list?
 To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
 ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
 When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
 ### Is there a size limit to the domain lists that I need to configure?
 Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
 ### Why does my encryption driver break Microsoft Defender Application Guard?
 Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
 ### Why do the Network Isolation policies in Group Policy and CSP look different?
 There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
 - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
 - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
 - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
 Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
 ### Why did Application Guard stop working after I turned off hyperthreading?
 If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
 ### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
 Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
 ### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
 This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
 - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
 - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
 #### First rule (DHCP Server)
 1. Program path: `%SystemRoot%\System32\svchost.exe`
 2. Local Service: `Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))`
 3. Protocol UDP
 4. Port 67
 #### Second rule (DHCP Client)
 This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
 1. Right-click on inbound rules, and then create a new rule.
 2. Choose **custom rule**.
 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
 4. Specify the following settings:
    - Protocol Type: UDP
    - Specific ports: 67
    - Remote port: any
 5. Specify any IP addresses.
 6. Allow the connection.
 7. Specify to use all profiles.
 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
 9. In the **Programs and services** tab, under the **Services** section, select **settings**.
 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
 ### Why can I not launch Application Guard when Exploit Guard is enabled?
 There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
 ### How can I disable portions of ICS without breaking Application Guard?
 ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
 2. Disable IpNat.sys from ICS load as follows: <br/>
 `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
 3. Configure ICS (SharedAccess) to enabled as follows: <br/>
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
 4. (This is optional) Disable IPNAT as follows: <br/>
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
 5. Reboot the device.
 ### Why doesn't the container fully load when device control policies are enabled?
 Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
 Policy: Allow installation of devices that match any of the following device IDs:
 - `SCSI\DiskMsft____Virtual_Disk____`
 - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
 - `VMS_VSF`
 - `root\Vpcivsp`
 - `root\VMBus`
 - `vms_mp`
 - `VMS_VSP`
 - `ROOT\VKRNLINTVSP`
 - `ROOT\VID`
 - `root\storvsp`
 - `vms_vsmp`
 - `VMS_PP`
 Policy: Allow installation of devices using drivers that match these device setup classes
 - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
 ## See also
 [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -0,0 +1,251 @@
 ### YamlMime:FAQ
 metadata:
  title: FAQ - Microsoft Defender Application Guard (Windows 10)
  description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
  ms.prod: m365-security
  ms.mktglfcycl: manage
  ms.sitesec: library
  ms.pagetype: security
  ms.localizationpriority: medium
  author: denisebmsft
  ms.author: deniseb
  ms.date: 06/16/2021
  ms.reviewer:
  manager: dansimp
  ms.custom: asr
  ms.technology: mde
 title: Frequently asked questions - Microsoft Defender Application Guard
 summary: |
  **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
  This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
  ## Frequently Asked Questions
 sections:
  - name: Frequently Asked Questions
    questions:
      - question: |
          Can I enable Application Guard on machines equipped with 4-GB RAM?
        answer: |
          We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
          `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
          `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
          `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
      - question: |
          My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
        answer: |
         The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
         To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
         - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
         - It must be a FQDN. A simple IP address will not work.
         - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
      - question: |
          Can employees download documents from the Application Guard Edge session onto host devices?
        answer: |
          In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
          In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
      - question: |
          Can employees copy and paste between the host device and the Application Guard Edge session?
        answer: |
          Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
      - question: |
          Why don't employees see their favorites in the Application Guard Edge session?
        answer: |
          Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard).
      - question: |
          Why aren’t employees able to see their extensions in the Application Guard Edge session?
        answer: |
          Make sure to enable the extensions policy on your Application Guard configuration.
      - question: |
          I’m trying to watch playback video with HDR, why is the HDR option missing?
        answer: |
          In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard.
      - question: |
          How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
        answer: |
          Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
      - question: |
          Which Input Method Editors (IME) in 19H1 are not supported?
        answer: |
          The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
          - Vietnam Telex keyboard
          - Vietnam number key-based keyboard
          - Hindi phonetic keyboard
          - Bangla phonetic keyboard
          - Marathi phonetic keyboard
          - Telugu phonetic keyboard
          - Tamil phonetic keyboard
          - Kannada phonetic keyboard
          - Malayalam phonetic keyboard
          - Gujarati phonetic keyboard
          - Odia phonetic keyboard
          - Punjabi phonetic keyboard
      - question: |
          I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
        answer: |
          This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
      - question: |
          What is the WDAGUtilityAccount local account?
        answer: |
          WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
          **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
          We recommend that you do not modify this account.
      - question: |
          How do I trust a subdomain in my site list?
        answer: |
          To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
      - question: |
          Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
        answer: |
          When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
      - question: |
          Is there a size limit to the domain lists that I need to configure?
        answer: |
          Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
      - question: |
          Why does my encryption driver break Microsoft Defender Application Guard?
        answer: |
          Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
      - question: |
          Why do the Network Isolation policies in Group Policy and CSP look different?
        answer: |
          There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
          - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
          - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
          - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
          Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
      - question: |
          Why did Application Guard stop working after I turned off hyperthreading?
        answer: |
          If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
      - question: |
          Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
        answer: |
          Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
      - question: |
          Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
        answer: |
          This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
          - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
          - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
          ### First rule (DHCP Server)
          - Program path: `%SystemRoot%\System32\svchost.exe`
          - Local Service: `Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))`
          - Protocol UDP
          - Port 67
          ### Second rule (DHCP Client)
          This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
          1. Right-click on inbound rules, and then create a new rule.
          2. Choose **custom rule**.
          3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
          4. Specify the following settings:
              - Protocol Type: UDP
              - Specific ports: 67
              - Remote port: any
          5. Specify any IP addresses.
          6. Allow the connection.
          7. Specify to use all profiles.
          8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
          9. In the **Programs and services** tab, under the **Services** section, select **settings**.
          10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
      - question: |
          Why can I not launch Application Guard when Exploit Guard is enabled?
        answer: |
          There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
      - question: |
          How can I disable portions of ICS without breaking Application Guard?
        answer: |
          ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
          1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
          2. Disable IpNat.sys from ICS load as follows: <br/>
          `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
          3. Configure ICS (SharedAccess) to enabled as follows: <br/>
          `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
          4. (This is optional) Disable IPNAT as follows: <br/>
          `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
          5. Reboot the device.
      - question: |
          Why doesn't the container fully load when device control policies are enabled?
        answer: |
          Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
          Policy: Allow installation of devices that match any of the following device IDs:
          - `SCSI\DiskMsft____Virtual_Disk____`
          - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
          - `VMS_VSF`
          - `root\Vpcivsp`
          - `root\VMBus`
          - `vms_mp`
          - `VMS_VSP`
          - `ROOT\VKRNLINTVSP`
          - `ROOT\VID`
          - `root\storvsp`
          - `vms_vsmp`
          - `VMS_PP`
          Policy: Allow installation of devices using drivers that match these device setup classes
          - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
 additionalContent: |
  ## See also
  [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices:
 |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
 | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
 | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
-|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
+|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
 |[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@ -14,17 +14,20 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/11/2021
 ms.technology: mde
 ---
 # Access this computer from the network - security policy setting
 **Applies to**
-   Windows 10
+-   Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016
 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
 > [!WARNING]
 > If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly.
 ## Reference
 The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight
 -   On desktop devices or member servers, grant this right only to users and administrators.
 -   On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
 -   On failover clusters, make sure this right is granted to authenticated users.
 -   This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead.
 ### Location
@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included
 If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
 If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly.
 ## Related topics
 [User Rights Assignment](user-rights-assignment.md)
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@ -35,7 +35,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
 - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints.
-Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot.
+Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
 For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager)
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@ -26,6 +26,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 - Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
 > [!NOTE]
 > These event IDs are not applicable on Windows Server Core edition.
 ## Microsoft Windows CodeIntegrity Operational log event IDs
 | Event ID | Explanation |
@ -41,6 +44,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 |--------|-----------|
 | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
 | 8029 | Block script/MSI file |
 | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
 | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
 ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
@ -109,7 +113,7 @@ A list of other relevant event IDs and their corresponding description.
 | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | 
 | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
 | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
-| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
+| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. |
 | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | 
 | 3097 | The Code Integrity policy cannot be refreshed. | 
 | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@ -1,9 +1,9 @@
 ---
 title: Microsoft recommended driver block rules (Windows 10)
 description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.  
-keywords: security, malware, kernel mode, driver
+keywords:  security, malware, kernel mode, driver
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@ -14,8 +14,7 @@ author: jgeurten
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 10/15/2020
+ms.date: 
 ms.technology: mde
 ---
 # Microsoft recommended driver block rules
@ -30,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali
 - Hypervisor-protected code integrity (HVCI) enabled devices
 - Windows 10 in S mode (S mode) devices
-Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
 > [!Note]
 > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. 
@ -127,6 +126,40 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based
    <Deny ID="ID_DENY_SEMAV6MSR64_SHA256" FriendlyName="semav6msr64.sys Hash Sha256" Hash="EB71A8ECEF692E74AE356E8CB734029B233185EE5C2CCB6CC87CC6B36BEA65CF" />
    <Deny ID="ID_DENY_SEMAV6MSR64_SHA1_PAGE" FriendlyName="semav6msr64.sys Hash Page Sha1" Hash="F3821EC0AEF270F749DF9F44FBA91AFA5C8C38E8" />
    <Deny ID="ID_DENY_SEMAV6MSR64_SHA256_PAGE" FriendlyName="semav6msr64.sys Hash Page Sha256" Hash="4F12EE563E7496E7105D67BF64AF6B436902BE4332033AF0B5A242B206372CB7" />
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_1"  FriendlyName="nt2.sys Hash Sha1" Hash="8F0B99B53EB921547AFECF1F12B3299818C4E5D1"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_2"  FriendlyName="nstr.sys Hash Sha1" Hash="61258963D900C2A39408EF4B51F69F405F55E407"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_3"  FriendlyName="nt5.sys Hash Sha1" Hash="7A43BE821832E9BF55B1B781AE468179D0E4F56E"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_4"  FriendlyName="80.sys Hash Sha1" Hash="BC2F3850C7B858340D7ED27B90E63B036881FD6C"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_5" FriendlyName="nstrwsk.sys Hash Sha1" Hash="83767982B3A5F70615A386F4D6638F20509F3560"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_6" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="8BC75E18953B7B23991B2FBC79713E1E175F75E4"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_7" FriendlyName="nt3.sys Hash Sha1" Hash="295E590D49DF717C489C5C824E9C6896A14248BB"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_8" FriendlyName="nt4.sys Hash Sha1" Hash="EC7947AD1919C8F60BC973B96DA4132A1EA396E0"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_9" FriendlyName="nt6.sys Hash Sha1" Hash="8403A17AE001FEF3488C2E641E2BE553CD5B478D"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_10" FriendlyName="81.sys Hash Sha1" Hash="FAA870B0CB15C9AC2B9BBA5D0470BD501CCD4326"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_11" FriendlyName="81.sys Hash Sha1" Hash="ACA8E53483B40A06DFDEE81BB364B1622F9156FE"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_12" FriendlyName="full.sys Hash Sha1" Hash="4B8C0445075F09AEEF542AB1C86E5DE6B06E91A3"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_13" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="E74B6DDA8BC53BC687FC21218BD34062A78D8467"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_14" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="E014C6BEBFDA944CE3A58AB9FE055D4F9367D49C"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_15" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="8241C9A5755A740811C8E8D2739B33146ACD3E6D"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_16" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="2C27ABBBBCF10DFB75AD79557E30ACE5ED314DF8"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA1_17" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="E5A152BB57060C2B27E825258698BD7FF67907FF"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_1"  FriendlyName="nt2.sys Hash Sha256" Hash="CB9890D4E303A4C03095D7BC176C42DEE1B47D8AA58E2F442EC1514C8F9E3CEC"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_2"  FriendlyName="nstr.sys Hash Sha256" Hash="455BC98BA32ADAB8B47D2D89BDBADCA4910F91C182AB2FC3211BA07D3784537B"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_3"  FriendlyName="nt5.sys Hash Sha256" Hash="FD33FB2735CC5EF466A54807D3436622407287E325276FCD3ED1290C98BD0533"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_4"  FriendlyName="80.sys Hash Sha256" Hash="F08EBDDC11AEFCB46082C239F8D97CEEA247D846E22C4BCDD72AF75C1CBC6B0B"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_5" FriendlyName="nstrwsk.sys Hash Sha256" Hash="3390919BB28D5C36CC348F9EF23BE5FA49BFD81263EB7740826E4437CBE904CD"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_6" FriendlyName="netfilterdrv.sys Hash Sha256" Hash="82774D5230C5B6604D6F67A32883F720B4695387F3F383AABC713FC2904FF45D"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_7" FriendlyName="nt3.sys Hash Sha256" Hash="7D8937C18D6E11A0952E53970A0934CF0E65515637AC24D6CA52CCF4B93D385F"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_8" FriendlyName="nt4.sys Hash Sha256" Hash="D7BC7306CB489FE4C285BBEDDC6D1A09E814EF55CF30BD5B8DAF87A52396F102"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_9" FriendlyName="nt6.sys Hash Sha256" Hash="15C53EB3A0EA44BBD2901A45A6EBEAE29BB123F9C1115C38DFB2CDBEC0642229"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_10" FriendlyName="81.sys Hash Sha256" Hash="5C206B569B7059B7C32EB5FC36922CB435C2B16C8D96DE1038C8BD298ED498FE"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_11" FriendlyName="81.sys Hash Sha256" Hash="3D31118A2E92377ECB632BD722132C04AF4E65E24FF87743796C75EB07CFCD71"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_12" FriendlyName="full.sys Hash Sha256" Hash="0988D366572A57B3015D875B60704517D05115580678E8F2E126F771EDA28F7B"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_13" FriendlyName="netfilterdrv.sys Hash Sha256" Hash="12A636449A491EF3DC8688C5D25BE9EBF785874F9C4573667EEFD42139201AA4"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_14" FriendlyName="netfilterdrv.sys Hash Sha256" Hash="651FFA0C7AFF7B4A7695DDDD209DC3E7F68156E29A14D3FCC17AEF4F2A205DCC"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_15" FriendlyName="netfilterdrv.sys Hash Sha256" Hash="C56536F99207915E5A1F7D4F014AB942BD820E64FF7F371AD0462EF26ED27242"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_16" FriendlyName="netfilterdrv.sys Hash Sha256" Hash="7F1772BDF7DD81CB00D30159D19D4EB9160B54D7609B36F781D08CA3AFBD29A7"/>
    <Deny ID="ID_DENY_RETLIFTEN_SHA256_17" FriendlyName="netfilterdrv.sys Hash Sha256" Hash="7113DEE11925B346192F6EE5441974DB7D1FE9B5BE1497A6B295C06930FDD264"/>
    <FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
    <FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
    <FileAttrib ID="ID_FILEATTRIB_LIBNICM_DRIVER" FriendlyName="" FileName="libnicm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
@ -352,6 +385,40 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based
            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256"/>
            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1_PAGE"/>
            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256_PAGE"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_1" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_2" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_3" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_4" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_5" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_6" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_7" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_8" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_9" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_10"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_11"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_12"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_13"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_14"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_15"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_16"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_17"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_1" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_2" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_3" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_4" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_5" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_6" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_7" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_8" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_9" />
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_10"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_11"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_12"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_13"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_14"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_15"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_16"/>
            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_17"/>
        </FileRulesRef>
      </ProductSigners>
    </SigningScenario>
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@ -142,6 +142,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
 You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
 > [!NOTE]
 > For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
 ## More information about hashes
 ### Why does scan create four hash rules per XML file?
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
@ -1,88 +0,0 @@
 ---
 title: How Windows Defender System Guard protect Windows 10 from firmware exploits
 description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.reviewer: 
 manager: dansimp
 ms.author: deniseb
 author: denisebmsft
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 ms.date: 03/01/2019
 ms.custom: asr
 ms.technology: mde
 ---
 # Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
 In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
 Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
 - Protect and maintain the integrity of the system as it starts up
 - Validate that system integrity has truly been maintained through local and remote attestation
 ## Maintaining the integrity of the system as it starts
 ### Static Root of Trust for Measurement (SRTM)
 With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. 
 This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. 
 This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
 This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). 
 As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. 
 Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list). 
 Each option has a drawback:
 - A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
 - A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. 
 In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
 ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
 Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). 
 DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. 
 This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 ![System Guard Secure Launch](images/system-guard-secure-launch.png)
 Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. 
 ### System Management Mode (SMM) protection
 System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. 
 Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. 
 SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. 
 To defend against this, two techniques are used:
 1. Paging protection to prevent inappropriate access to code and data
 2. SMM hardware supervision and attestation
 Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. 
 This prevents access to any memory that has not been specifically assigned. 
 A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. 
 SMM protection is built on top of the Secure Launch technology and requires it to function. 
 In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. 
 ## Validating platform integrity after Windows is running (run time)
 While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
 As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. 
 ![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
 After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@ -78,3 +78,15 @@ It can export local policy to a GPO backup.
 It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 ## What is the Set Object Security tool?
 SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
 Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 ## What is the GPO to Policy Rules tool?
 Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download. 
 Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
--- a/windows/sv/TOC.yml
+++ b/windows/sv/TOC.yml
@ -1,2 +0,0 @@
 - name: Index
  href: index.md
--- a/windows/sv/breadcrumb/toc.yml
+++ b/windows/sv/breadcrumb/toc.yml
@ -1,3 +0,0 @@
 - name: Docs
  tocHref: /
  topicHref: /
--- a/windows/sv/docfx.json
+++ b/windows/sv/docfx.json
@ -1,51 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**",
          "**/docfx.json",
          "_repo.en-us/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices.md"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**",
          "**/docfx.json",
          "_repo.en-us/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "breadcrumb_path": "/windows/sv/breadcrumb/toc.json",
      "extendBreadcrumb": true,
      "feedback_system": "None"
    },
    "fileMetadata": {},
    "template": [],
    "dest": "SV",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/sv/index.md
+++ b/windows/sv/index.md
@ -1,16 +0,0 @@
 ---
 title: No title
 description: No description
 keywords: ["Windows 10"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 audience: itpro
 author: greg-lindsay
 ms.author: greglin
 manager: laurawi
 ms.localizationpriority: high
 ms.topic: article
 ---
 # _
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@ -1,19 +1,33 @@
- name: What's new in Windows 10
+- name: What's new in Windows
  href: index.yml
- name: What's new in Windows 10, version 21H1
+- name: Windows 11
-  href: whats-new-windows-10-version-21H1.md
+  expanded: true
- name: What's new in Windows 10, version 20H2
+  items:
-  href: whats-new-windows-10-version-20H2.md
+    - name: Windows 11 overview
- name: What's new in Windows 10, version 2004
+      href: windows-11.md
-  href: whats-new-windows-10-version-2004.md
+    - name: Windows 11 requirements
- name: What's new in Windows 10, version 1909
+      href: windows-11-requirements.md
-  href: whats-new-windows-10-version-1909.md
+    - name: Plan for Windows 11
- name: What's new in Windows 10, version 1903
+      href: windows-11-plan.md
-  href: whats-new-windows-10-version-1903.md
+    - name: Prepare for Windows 11
- name: What's new in Windows 10, version 1809
+      href: windows-11-prepare.md
-  href: whats-new-windows-10-version-1809.md
+- name: Windows 10
  expanded: true
  items:
    - name: What's new in Windows 10, version 21H1
      href: whats-new-windows-10-version-21H1.md
    - name: What's new in Windows 10, version 20H2
      href: whats-new-windows-10-version-20H2.md
    - name: What's new in Windows 10, version 2004
      href: whats-new-windows-10-version-2004.md
    - name: What's new in Windows 10, version 1909
      href: whats-new-windows-10-version-1909.md
    - name: What's new in Windows 10, version 1903
      href: whats-new-windows-10-version-1903.md
 - name: Previous versions
  items:
    - name: What's new in Windows 10, version 1809
      href: whats-new-windows-10-version-1809.md
    - name: What's new in Windows 10, version 1803
      href: whats-new-windows-10-version-1803.md
    - name: What's new in Windows 10, version 1709
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@ -3,8 +3,8 @@
    "content": [
      {
        "files": [
-          "**/*.md",
+          "**/**/*.md",
-          "**/*.yml"
+          "**/**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
@ -19,9 +19,9 @@
    "resource": [
      {
        "files": [
-          "**/*.png",
+          "**/**/*.png",
-          "**/*.jpg",
+          "**/**/*.jpg",
-          "**/*.gif"
+          "**/**/*.gif"
        ],
        "exclude": [
          "**/obj/**",
@ -34,7 +34,6 @@
    "globalMetadata": {
      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-M365-IT",
      "ms.technology": "windows",
      "ms.topic": "article",
      "audience": "ITPro",
      "feedback_system": "GitHub",
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@ -1,11 +1,11 @@
 ### YamlMime:Landing
-title: What's new in Windows 10 # < 60 chars
+title: What's new in Windows # < 60 chars
-summary: Find out about new features and capabilities in the latest release of Windows 10.  # < 160 chars
+summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11.  # < 160 chars
 metadata:
-  title: What's new in Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
+  title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Find out about new features and capabilities in the latest release of Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+  description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.subservice: subservice
@ -13,7 +13,7 @@ metadata:
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  ms.date: 02/09/2021 #Required; mm/dd/yyyy format.
+  ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -22,7 +22,21 @@ landingContent:
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
  # Card (optional)
-  - title: What's new in Windows 10
+
  - title: Windows 11
    linkLists:
      - linkListType: overview
        links:
          - text: Windows 11 overview
            url:  windows-11.md
          - text: Windows 11 requirements
            url: windows-11-requirements.md
          - text: Plan for Windows 11 
            url: windows-11-plan.md
          - text: Prepare for Windows 11 
            url: windows-11-prepare.md
  - title: Windows 10
    linkLists:
      - linkListType: overview
        links:
@ -36,8 +50,6 @@ landingContent:
            url: whats-new-windows-10-version-1909.md
          - text: What's new in Windows 10, version 1903
            url:  whats-new-windows-10-version-1903.md
          - text: What's new in Windows 10, version 1809
            url:  whats-new-windows-10-version-1809.md
  # Card (optional)
@ -45,11 +57,11 @@ landingContent:
    linkLists:
      - linkListType: overview
        links:
-          - text: Windows 10 release information
+          - text: Windows release information
            url: /windows/release-health/release-information
-          - text: Windows 10 release health dashboard
+          - text: Windows release health dashboard
            url: /windows/release-information/
-          - text: Windows 10 update history
+          - text: Windows update history
            url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3
          - text: Windows 10 features we’re no longer developing
            url: /windows/deployment/planning/windows-10-deprecated-features
@ -57,13 +69,5 @@ landingContent:
            url: /windows/deployment/planning/windows-10-removed-features
          - text: Compare Windows 10 Editions
            url: https://go.microsoft.com/fwlink/p/?LinkId=690485
  # Card (optional)
  - title: See also
    linkLists:
      - linkListType: overview
        links:
          - text: Windows 10 Enterprise LTSC
            url: ltsc/index.md
          - text: Edit an existing topic using the Edit link
            url: contribute-to-a-topic.md
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 ### Windows Assessment and Deployment Toolkit (ADK)
-There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2.  For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
+There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1.  For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
 ## Device management
@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
 WDAG performance is improved with optimized document opening times:
 - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle.
+- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
 - The performance of Robocopy is improved when copying files over 400 MB in size.
 ### Windows Hello
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@ -0,0 +1,122 @@
 ---
 title: Plan for Windows 11
 description: Windows 11 deployment planning, IT Pro content.
 keywords: ["get started", "windows 11", "plan"]
 ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: greg-lindsay
 ms.author: greglin
 ms.date: 06/24/2021
 ms.reviewer: 
 manager: laurawi
 ms.localizationpriority: high
 ms.topic: article
 ---
 # Plan for Windows 11
 **Applies to**
 -   Windows 11
 ## Deployment planning
 This article provides guidance to help you plan for Windows 11 in your organization.
 Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11. 
 At a high level, this strategy should include the following steps:
 - [Create a deployment plan](/windows/deployment/update/create-deployment-plan)
 - [Define readiness criteria](/windows/deployment/update/plan-define-readiness)
 - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools)
 - [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness)
 - [Define your servicing strategy](/windows/deployment/update/plan-define-strategy)
 If you are looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. 
 ## Determine eligibility
 As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible.
 Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  
 Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. 
 ## Windows 11 availability
 The availability of Windows 11 will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. 
 ##### Managed devices
 Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. 
 If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as:  
 - Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows 11 upgrade. 
 - Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. 
 > [!NOTE]
 > If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11). <br>
 > Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. 
 ##### Unmanaged devices
 Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates.  
 Windows 11 will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows 11 once available** on products that are available for purchase. 
 The Windows 11 upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to.
 Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be used when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience, and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. 
 ## Windows 11 readiness considerations 
 The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features.
 As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows:
 - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet.
 - Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. 
 - Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). 
 For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). 
 The introduction of Windows 11 is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users.
 ## Servicing and support
 Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. 
 **Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. 
 **Feature updates**: Microsoft will provide a single Windows 11 feature update annually, targeted for release in the second half of each calendar year. 
 **Lifecycle**:
 - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows 11 will receive 24 months of support from the general availability date. 
 - Enterprise and Education editions of Windows 11 will be supported for 36 months from the general availability date.
 When Windows 11 reaches general availability, a consolidated Windows 11 update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows 11 servicing announcements, known issues, and safeguard holds. 
 It is important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. 
 ## Application compatibility
 Microsoft's compatibility promise for Windows 10 is maintained for Windows 11. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows 11 is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates.
 #### App Assure and Test Base for Microsoft 365
 If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. 
 **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. 
 **Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.  
 You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. 
 ## Next steps
 [Prepare for Windows 11](windows-11-prepare.md)
 ## Also see
 [Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/)
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@ -0,0 +1,126 @@
 ---
 title: Prepare for Windows 11
 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content.
 keywords: ["get started", "windows 11"]
 ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: greg-lindsay
 ms.author: greglin
 ms.date: 06/24/2021
 ms.reviewer: 
 manager: laurawi
 ms.localizationpriority: high
 ms.topic: article
 ---
 # Prepare for Windows 11
 **Applies to**
 -   Windows 11
 Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
 After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks.
 ## Infrastructure and tools
 The tools that you use for core workloads during Windows 10 deployments can still be used for Windows 11. A few nuanced differences are described below. 
  > [!IMPORTANT]
  > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. 
 #### On-premises solutions
 - If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
  > [!NOTE]
  > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
 - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.  
  > [!NOTE]
  > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. 
 #### Cloud-based solutions
 - If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). 
 - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies.
 - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. 
 ## Cloud-based management
 If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy.  
 The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: 
 - **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. 
 - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. 
 - **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. 
 If you are exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. 
 ## Review servicing approach and policies
 Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you are a fast adopter or will make the transition over the coming months or years. 
 When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. 
 Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: 
 - Preview (first or canary): Planning and development 
 - Limited (fast or early adopters): Pilot and validation 
 - Broad (users or critical): Wide deployment 
 For detailed information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan).  
 #### Review policies
 Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. 
 #### Validate apps and infrastructure
 To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel).  
 If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes:
 - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. 
 - Leverage Azure Virtual Desktop and Azure Marketplace images. 
 - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. 
 Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program. 
 #### Analytics and assessment tools 
 If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade.
 ## Prepare a pilot deployment
 A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.  
 At a high level, the tasks involved are: 
 1. Assign a group of users or devices to receive the upgrade. 
 2. Implement baseline updates. 
 3. Implement operational updates. 
 4. Validate the deployment process. 
 5. Deploy the upgrade to devices. 
 6. Test and support the pilot devices. 
 7. Determine broad deployment readiness based on the results of the pilot. 
 ## End-user readiness
 Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: 
 - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. 
 - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. 
 - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. 
 ## Learn more
 See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. 
 - The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.  
 ## See also
 [Plan for Windows 11](windows-11-plan.md)<br>
 [Windows help & learning](https://support.microsoft.com/windows)
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@ -0,0 +1,90 @@
 ---
 title: Windows 11 requirements
 description: Hardware requirements to deploy Windows 11
 ms.reviewer: 
 manager: laurawi
 ms.audience: itpro
 author: greg-lindsay
 ms.author: greglin
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: medium
 audience: itpro
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ---
 # Windows 11 requirements
 **Applies to**
 -   Windows 11
 This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM). 
 ## Hardware requirements
 To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements:
 - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC).
 - RAM: 4 gigabytes (GB) or greater.
 - Storage: 64 GB\* or greater available storage is required to install Windows 11.
  - Additional storage space might be required to download updates and enable specific features.
 - Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
 - System firmware: UEFI, Secure Boot capable.
 - TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0.
 - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel.
 - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. 
  - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.
 \* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5).
 For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility).
 ## Operating system requirements
 For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later.
 > [!NOTE]
 > S mode is only supported on the Home edition of Windows 11.
 > If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.<br>&nbsp;<br>
 > Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later.
 ## Feature-specific requirements
 Some features in Windows 11 have requirements beyond those listed above. See the following list of features and associated requirements.
 - **5G support**: requires 5G capable modem.
 - **Auto HDR**: requires an HDR monitor.
 - **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. 
 - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. 
 - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States.
 - **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support.
 - **DirectX 12 Ultimate**: available with supported games and graphics chips.
 - **Presence**: requires sensor that can detect human distance from device or intent to interact with device.
 - **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) 
 - **Multiple Voice Assistant**: requires a microphone and speaker.
 - **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width.
 - **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute.
 - **Spatial Sound**: requires supporting hardware and software.
 - **Microsoft Teams**: requires video camera, microphone, and speaker (audio output).
 - **Touch**: requires a screen or monitor that supports multi-touch.
 - **Two-factor authentication**: requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities.
 - **Voice Typing**: requires a PC with a microphone.
 - **Wake on Voice**: requires Modern Standby power model and microphone.
 - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router.
 - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
 - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct.
 - **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
 ## Next steps
 [Plan for Windows 11](windows-11-plan.md)<br>
 [Prepare for Windows 11](windows-11-prepare.md)
 ## See also
 [Windows 11 overview](windows-11.md)
--- a/windows/whats-new/windows-11.md
+++ b/windows/whats-new/windows-11.md
@ -0,0 +1,86 @@
 ---
 title: Windows 11 overview
 description: Overview of Windows 11
 ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
 ms.reviewer: 
 manager: laurawi
 ms.audience: itpro
 author: greg-lindsay
 ms.author: greglin
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: medium
 audience: itpro
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ---
 # Windows 11 overview
 **Applies to**
 -   Windows 11
 This article provides an introduction to Windows 11, and answers some frequently asked questions.
 Also see the following articles to learn more about Windows 11: 
 - [Windows 11 requirements](windows-11-requirements.md): Requirements to deploy Windows 11.
 - [Plan for Windows 11](windows-11-plan.md): Information to help you plan for Windows 11 in your organization.
 - [Prepare for Windows 11](windows-11-prepare.md): Procedures to ensure readiness to deploy Windows 11.
 ## Introduction
 Windows 11 is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. 
 Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows 11 also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows 11.
 ## How to get Windows 11
 Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices.
 For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md).
 For devices that are not managed by an organization, the Windows 11 upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. 
 For more information about device eligibility, see [Windows 11 requirements](windows-11-requirements.md).
 If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
 ## Before you begin
 The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11.  
 #### Licensing
 There are no unique licensing requirements for Windows 11 beyond what is required for Windows 10 devices.
 Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows 11 on supported devices. If you have a volume license, it will equally cover Windows 11 and Windows 10 devices before and after upgrade.
 #### Compatibility
 Most accessories and associated drivers that work with Windows 10 are expected to work with Windows 11. Check with your accessory manufacturer for specific details.
 Windows 11 preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows 11. For more information, see [Application compatibility](windows-11-plan.md#application-compatibility).
 #### Familiar processes
 Windows 11 is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows 11. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows 11.
 > [!IMPORTANT]
 > Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows 11, particularly those providing security or data loss prevention capabilities.  
 For more information, see [Prepare for Windows 11](windows-11-prepare.md).
 #### Servicing Windows 11
 Like Windows 10, Windows 11 will receive monthly quality updates. However, it will have a new feature update cadence. Windows 11 feature updates will be released once per year. 
 When Windows 11 reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows 11 update history page at that time. For more information, see [Servicing and support](windows-11-plan.md#servicing-and-support). 
 ## Next steps
 [Windows 11 requirements](windows-11-requirements.md)<br>
 [Plan for Windows 11](windows-11-plan.md)<br>
 [Prepare for Windows 11](windows-11-prepare.md)