Merge branch 'main' into v-alemieux-working

.openpublishing.redirection.json

@@ -19654,6 +19654,26 @@
      "source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md",
      "redirect_url": "/windows/configuration/windows-accessibility-for-ITPros",
      "redirect_document_id": false
+     },
+     {
+       "source_path": "education/windows/take-a-test-multiple-pcs.md",
+       "redirect_url": "/education/windows/edu-take-a-test-kiosk-mode",
+       "redirect_document_id": false
+     },
+     {
+       "source_path": "education/windows/take-a-test-single-pc.md",
+       "redirect_url": "/education/windows/take-tests-in-windows",
+       "redirect_document_id": false
+     },
+     {
+       "source_path": "education/windows/take-tests-in-windows-10.md",
+       "redirect_url": "/education/windows/take-tests-in-windows",
+       "redirect_document_id": false
+     },
+     {
+       "source_path": "education/windows/change-history-edu.md",
+       "redirect_url": "/education/windows",
+       "redirect_document_id": false
      }
   ]
 }

education/index.yml

@@ -23,7 +23,7 @@ productDirectory:
     # Card    
     - title: Phase 1 - Cloud deployment
       imageSrc: ./images/EDU-Deploy.svg
-      summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your active directry and SIS, and license users.
+      summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your Active Directory and SIS, and license users.
       url: /microsoft-365/education/deploy/create-your-office-365-tenant
     # Card
     - title: Phase 2 - Device management

education/windows/TOC.yml

@@ -12,8 +12,10 @@ items:
       items:
       - name: Overview
         href: windows-11-se-overview.md
-      - name: Settings and CSP list
+      - name: Settings list
         href: windows-11-se-settings-list.md
+      - name: Frequently Asked Questions (FAQ)
+        href: windows-11-se-faq.yml
     - name: Windows in S Mode
       items:
       - name: Test Windows 10 in S mode on existing Windows 10 education devices
@@ -27,19 +29,15 @@ items:
     - name: Windows 10 configuration recommendations for education customers
       href: configure-windows-for-education.md
     - name: Take tests and assessments in Windows
-      href: take-tests-in-windows-10.md
+      href: take-tests-in-windows.md
 - name: How-to-guides
-  items:
-    - name: Configure education features
   items:
     - name: Configure education themes
       href: edu-themes.md
     - name: Configure Stickers
       href: edu-stickers.md
-        - name: Configure Take a Test on a single PC
-          href: take-a-test-single-pc.md
-        - name: Configure a Test on multiple PCs
-          href: take-a-test-multiple-pcs.md
+    - name: Configure Take a Test in kiosk mode
+      href: edu-take-a-test-kiosk-mode.md
     - name: Use the Set up School PCs app
       href: use-set-up-school-pcs-app.md
     - name: Change Windows edition
@@ -96,8 +94,6 @@ items:
         href: set-up-school-pcs-provisioning-package.md
       - name: What's new in Set up School PCs
         href: set-up-school-pcs-whats-new.md
-    - name: Take a Test app technical reference
+    - name: Take a Test technical reference
       href: take-a-test-app-technical.md
-    - name: Change history for Windows 10 for Education
-      href: change-history-edu.md
       

education/windows/change-history-edu.md

@@ -1,156 +0,0 @@
----
-title: Change history for Windows 10 for Education (Windows 10)
-description: New and changed topics in Windows 10 for Education
-keywords: Windows 10 education documentation, change history
-ms.prod: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: edu
-ms.collection: education
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 08/10/2022
-ms.reviewer: 
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
----
-# Change history for Windows 10 for Education
-
-This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation.
-
-## May 2019
-
-|New or changed topic | Description|
-|-----------|-------------|
-|[Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation)|Subscription activation support for Windows 10 Pro Education to Windows 10 Education|
-
-## April 2018
-New or changed topic | Description
---- | ---
-[Windows 10 Pro in S mode for Education](s-mode-switch-to-edu.md) | Created a new topic on S mode for Education. |
-[Change to Windows 10 Education from Windows 10 Pro](change-to-pro-education.md) | Updated sections referencing S mode.
-
-## March 2018
-
-New or changed topic | Description
---- | ---
-[Reset devices with Autopilot Reset](autopilot-reset.md) | Added section for troubleshooting Autopilot Reset.
-
-## November 2017
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. |
-| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
-| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
-| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added more information about the Ctrl+Alt+Del key combination. |
-
-## RELEASE: Windows 10, version 1709 (Fall Creators Update)
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Reset devices with Autopilot Reset](autopilot-reset.md) | New. Learn how you can use this new feature to quickly reset student PCs from the lock screen and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use and returned to a fully configured or known IT-approved state. |
-| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the *Go back to your previous edition of Windows 10* section with new information on how to work around cases where Win32 apps are blocked after switching from Windows 10 S back to your previous Windows edition. |
-| [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps. |
-
-## September 2017
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. |
-
-## August 2017
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
-| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
-
-## July 2017
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md)  | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
-| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
-| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
-
-## June 2017
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)  | Includes the following updates:</br></br> - New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs.</br> - New configuration information when using Windows 10 S for education. |
-| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)  | New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs. |
-| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the recommended apps section to include information about Office 365 for Windows 10 S (Education Preview). |
-
-## May 2017
-
-| New or changed topic | Description |
-| --- | ---- |
-| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. |
-| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. |
-
-## RELEASE: Windows 10, version 1703 (Creators Update)
-
-| New or changed topic | Description|
-| --- | --- |
-| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. |
-| [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. |
-| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)  | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. |
-| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)  | Updated the screenshots and related instructions to reflect the current UI and experience.  |
-| [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. |
-| Set up School PCs app: </br> [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) </br> [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. |
-| Set up using Windows Configuration Designer: </br> [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) </br> [Provision student PCs with apps](set-up-students-pcs-with-apps.md) | Updated the information for Windows 10, version 1703. |
-| [Take tests in Windows 10](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. |
-
-## January 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. |
-
-## December 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). |
-
-## November 2016
-
-| New or changed topic | Description|
-| --- | --- |
-| [Working with Microsoft Store for Business – education scenarios](education-scenarios-store-for-business.md)  | New. Learn about education scenarios for Microsoft Store for Business.  |
-| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md)  | Updates. Subscription support for Minecraft: Education Edition.  |
-| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md)  | Updates. Subscription support for Minecraft: Education Edition.  |
-
-
-## RELEASE: Windows 10, version 1607 (Anniversary Update)
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Set up Windows 10](set-up-windows-10.md)
-- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
-- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
-- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
-
-## July 2016
-
-| New or changed topic | Description|
-| --- | --- |
-| [Windows 10 editions for education customers](windows-editions-for-education-customers.md)  | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
-|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use Configuration Manager, Intune, and Group Policy to manage devices. |
-
-## June 2016
-
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Get Minecraft Education Edition](get-minecraft-for-education.md) </br> [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) </br> [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. |
-
-## May 2016
-
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it.  |
-| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC.  |
-| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
-| [Chromebook migration guide](chromebook-migration-guide.md)  | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in November 2015 |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)  |  Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 |

education/windows/deploy-windows-10-overview.md

@@ -47,7 +47,7 @@ Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-base
 
 Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
 
-**[Take tests in Windows 10](take-tests-in-windows-10.md)**
+**[Take tests in Windows](take-tests-in-windows.md)**
 
 Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
 

education/windows/edu-stickers.md

@@ -37,23 +37,23 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
 
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 
-Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on.
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
-To configure Stickers using a provisioning package, use the following settings:
+To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
 
 | Setting |
 |--------|
 | <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
 
-Apply the provisioning package to the devices that you want to enable Stickers on.
+Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
 
 ---
 
@@ -75,3 +75,6 @@ Select the *X button* at the top of the screen to save your progress and close t
 -----------
 
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

education/windows/edu-take-a-test-kiosk-mode.md

@@ -0,0 +1,235 @@
+---
+title: Configure Take a Test in kiosk mode
+description: Description of how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
+ms.date: 09/30/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Configure Take a Test in kiosk mode
+
+Executing Take a Test in kiosk mode is the recommended option for high stakes assessments, such as mid-term exams. In this mode, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. Students must sign in using a test-taking account.
+
+The configuration of Take a Test in kiosk mode can be done using:
+
+- Microsoft Intune/MDM
+- a provisioning package (PPKG)
+- PowerShell
+- the Settings app
+
+When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed.
+The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account.
+
+> [!TIP]
+> While you could create a single account in the directory to be the dedicated test-taking account, it is recommended to use a guest account. This way, you don't get into a scenario where the testing account is locked out due to bad password attempts or other factors.
+>
+> An additional benefit of using a guest account, is that your students don't have to type a password to access the test.
+
+Follow the instructions below to configure your devices, selecting the option that best suits your needs.
+
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+You can use Intune for Education or a custom profile in Microsoft Intune:
+
+- Intune for Education provides a simpler experience
+- A custom profile provides more flexibility and controls over the configuration
+
+> [!IMPORTANT]
+> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.**
+>
+> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy.
+
+### Configure Take a Test from Intune for Education
+
+To configure devices using Intune for Education, follow these steps:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Groups** > Pick a group to configure Take a Test for
+1. Select **Windows device settings**
+1. Expand the **Take a Test profiles** category and select **+ Assign new Take a Test profile**
+1. Specify a **Profile Name**, **Account Name**, **Assessment URL** and, optionally, **Description** and options allowed during the test
+1. Select **Create and assign profile**
+
+:::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true":::
+
+### Configure Take a Test with a custom policy
+
+To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
+
+| Setting |
+|--------|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li> Data type: **Integer** </li><li>Value: **1**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`** </li><li> Data type: **Integer**</li><li>Value: **1**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**</li><li>Data type: **Integer** </li><li> Value: **1**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**</li><li>Data type: **Boolean** </li><li> Value: **True**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**</li><li>Data type: **String** </li><li> Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`** </li><li>Data type: **String** </li><li> Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`** </li><li>Data type: **String** </li><li> Value: **\<provide testing URL>**</li>|
+
+:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer:
+
+- Set up School PCs provides a simpler, guided experience
+- Windows Configuration Designer provides more flexibility and controls over the configuration
+
+### Create a provisioning package using Set up School PCs
+
+Create a provisioning package using the Set up School PCs app, configuring the settings in the **Set up the Take a Test app** page.
+
+:::image type="content" source="./images/takeatest/suspcs-take-a-test.png" alt-text="Set up School PCs app - Take a test page" lightbox="./images/takeatest/suspcs-take-a-test.png" border="true":::
+
+### Create a provisioning package using Windows Configuration Designer
+
+[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings:
+
+| Setting |
+|--------|
+| <li> Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li>Value: **Enabled**</li>|
+| <li> Path: **`Policies/WindowsLogon/HideFastUserSwitching`** </li><li>Value: **True**</li>|
+| <li> Path: **`SharedPC/AccountManagement/AccountModel`** </li><li>Value: **Domain-joined only**</li>|
+| <li> Path: **`SharedPC/AccountManagement/EnableAccountManager`** </li><li>Value: **True**</li>|
+| <li> Path: **`SharedPC/AccountManagement/KioskModeAUMID`** </li><li>Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>|
+| <li> Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`** </li><li>Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>|
+| <li> Path: **`TakeATest/LaunchURI/`** </li><li>Value: **\<provide testing URL>**</li>|
+
+:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::
+
+Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
+
+#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+
+> [!TIP]
+> PowerShell scripts can be executed as scheduled tasks via Group Policy.
+
+> [!IMPORTANT]
+> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
+>
+> To test a PowerShell script, you can:
+> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
+> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
+> 1. Run the script in the PowerShell session
+
+Edit the following sample PowerShell script to:
+
+- Customize the assessment URL with **$testURL**
+- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName**
+
+```powershell
+$testURL = "https://contoso.com/algebra-exam"
+$userTileName = "Take a Test"
+$namespaceName = "root\cimv2\mdm\dmmap"
+$ParentID="./Vendor/MSFT/Policy/Config"
+
+#Configure SharedPC
+$className = "MDM_SharedPC"
+$instance = "SharedPC"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+   $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.AccountModel = 1
+$cimObject.EnableAccountManager = $true
+$cimObject.KioskModeAUMID = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App"
+$cimObject.KioskModeUserTileDisplayText = $userTileName
+Set-CimInstance -CimInstance $cimObject
+
+#Configure SecureAssessment
+$className = "MDM_SecureAssessment"
+$instance = "SecureAssessment"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+   $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.LaunchURI= $testURL
+Set-CimInstance -CimInstance $cimObject
+
+#Configure interactive logon
+$className = "MDM_Policy_Config01_LocalPoliciesSecurityOptions02"
+$instance = "LocalPoliciesSecurityOptions"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+   $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.InteractiveLogon_DoNotDisplayLastSignedIn = 1
+Set-CimInstance -CimInstance $cimObject
+
+#Configure Windows logon
+$className = "MDM_Policy_Config01_WindowsLogon02"
+$instance = "WindowsLogon"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+   $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.HideFastUserSwitching = 1
+Set-CimInstance -CimInstance $cimObject
+```
+
+#### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win)
+
+To create a local account, and configure Take a Test in kiosk mode using the Settings app:
+
+1. Sign into the Windows device with an administrator account
+1. Open the **Settings** app and select **Accounts** > **Other Users**
+1. Under **Other users**, select **Add account** > **I don't have this person's sign-in information** > **Add a user without a Microsoft account**
+1. Provide a user name and password for the account that will be used for testing
+   :::image type="content" source="./images/takeatest/settings-accounts-create-take-a-test-account.png" alt-text="Use the Settings app to create a test-taking account." border="true":::
+1. Select **Accounts > Access work or school**
+1. Select **Create a test-taking account**
+   :::image type="content" source="./images/takeatest/settings-accounts-set-up-take-a-test-account.png" alt-text="Use the Settings app to set up a test-taking account." border="true":::
+1. Under **Add an account for taking tests**, select **Add account** > Select the account created in step 4
+   :::image type="content" source="./images/takeatest/settings-accounts-choose-take-a-test-account.png" alt-text="Use the Settings app to choose the test-taking account." border="true":::
+1. Under **Enter the tests's web address**, enter the assessment URL
+1. Under **Test taking settings** select the options you want to enable during the test
+   - To enable printing, select **Require printing**
+
+      > [!NOTE]  
+      > Make sure a printer is pre-configured on the Take a Test account if you're enabling this option.
+
+   - To enable teachers to monitor screens, select **Allow screen monitoring**
+   - To allow text suggestions, select **Allow text suggestions**
+
+1. To take the test, a student must sign in using the test-taking account selected in step 4
+   :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true":::
+
+   > [!NOTE]  
+   > To sign-in with a local account on a device that is joined to Azure AD or Active Directory, you must prefix the username with either `<computername>\` or `.\`.
+
+---
+
+## How to use Take a Test in kiosk mode
+
+Once the devices are configured, a new user tile will be available in the sign-in screen. If selected, Take a Test will be executed in kiosk mode using the guest account, opening the assessment URL.
+
+## How to exit Take a Test
+
+To exit the Take a Test app at any time, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>. You'll be prompted to sign out of the test-taking account, or return to the test. Once signed out, the device will be unlocked from kiosk mode and can be used as normal.
+
+The following animation shows the process of signing in to the test-taking account, taking a test, and exiting the test:
+
+:::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true":::
+
+-----------
+
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[MEM-2]: /mem/intune/configuration/settings-catalog
+
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

education/windows/edu-themes.md

@@ -31,23 +31,23 @@ Education themes aren't enabled by default. Follow the instructions below to con
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
 
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 
-Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on.
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
-To configure education themes using a provisioning package, use the following settings:
+To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD), with the following settings:
 
 | Setting |
 |--------|
 | <li> Path: **`Education/EnableEduThemes`** </li><li>Value: **True**</li>|
 
-Apply the provisioning package to the devices that you want to enable education themes on.
+Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
 
 ---
 
@@ -62,3 +62,6 @@ To change the theme, select **Settings** > **Personalization** > **Themes** > **
 -----------
 
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

education/windows/index.yml

@@ -83,9 +83,13 @@ landingContent:
     linkLists:
       - linkListType: concept
         links:
-        - text: Take tests and assessments
-          url: take-tests-in-windows-10.md
+        - text: Take tests and assessments in Windows
+          url: take-tests-in-windows.md
         - text: Change Windows editions
           url: change-home-to-edu.md
         - text: "Deploy Minecraft: Education Edition"
           url: get-minecraft-for-education.md
+      - linkListType: how-to-guide
+        links:
+        - text: Configure Take a Test in kiosk mode
+          url: edu-take-a-test-kiosk-mode.md

education/windows/set-up-windows-10.md

@@ -40,7 +40,7 @@ You can use the following diagram to compare the tools.
 
 ## Related topics
 
-[Take tests in Windows 10](take-tests-in-windows-10.md)
+[Take tests in Windows](take-tests-in-windows.md)
 
 [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
 

education/windows/take-a-test-app-technical.md

@@ -1,40 +1,41 @@
 ---
 title: Take a Test app technical reference
-description: The policies and settings applied by the Take a Test app.
-keywords: take a test, test taking, school, policies
+description: List of policies and settings applied by the Take a Test app.
+ms.date: 09/30/2022
 ms.prod: windows
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
+ms.technology: windows
+ms.topic: reference
 ms.localizationpriority: medium
-ms.collection: education
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/10/2022
 ms.reviewer:
 manager: aaroncz
+ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
 ---
 
 # Take a Test app technical reference
 
-Take a Test is an app that locks down the PC and displays an online assessment web page.   
+Take a Test is an application that locks down a device and displays an online assessment web page.
 
-Whether you're a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This environment means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments
+Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments.
 
 Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api).
 
-## PC lockdown for assessment
+## PC lock-down for assessment
 
- When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app won't be above lock and won't have any of the policies applied.  
+ When the assessment page initiates lock-down, the student's desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.  
 
 When running above the lock screen:
+
 - The app runs full screen with no chrome
 - The hardware print screen button is disabled
 - Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software
 - System clipboard is cleared
-- Web apps can query the processes currently running in the user’s device
+- Web apps can query the processes currently running in the user's device
 - Extended display shows up as black
 - Auto-fill is disabled
 
@@ -45,7 +46,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
 | Policy | Description | Value |
 |---|---|---|
 | AllowToasts | Disables toast notifications from being shown | 0 |
-| AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 |
+| AllowAppStoreAutoUpdate | Disables automatic updates for Store apps that are installed on the PC | 0 |
 | AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
 | AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 |
 | AllowCortana | Disables Cortana functionality | 0 |
@@ -68,40 +69,41 @@ To ensure Take a Test activates correctly, make sure the following Group Policy
 When Take a Test is running, the following functionality is available to students:
 
 - Assistive technology that is configured to run above the lock screen should run as expected
-- Narrator is available through Windows key + Enter 
-- Magnifier is available through Windows key + "+" key 
-
-    - Full screen mode is compatible  
-
-- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements:
-
+- Narrator is available through <kbd>Win</kbd>+<kbd>Enter</kbd>
+- Magnifier is available through <kbd>Win</kbd>+<kbd>+</kbd>
+- The student can press <kbd>Alt</kbd>+<kbd>Tab</kbd> when locked down. This key press results in the student being able to switch between the following elements:
     - Take a Test
     - Assistive technology that may be running
     - Lock screen (not available if student is using a dedicated test account)
 
     > [!NOTE] 
-        > The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated. 
-
-- The student can exit the test by pressing one of the following key combinations: 
-
-    - Ctrl+Alt+Del 
-
-        On Windows 10 Enterprise or Windows 10 Education versions, IT admins can choose to block this functionality by configuring a [keyboard filter](/windows-hardware/customize/enterprise/keyboardfilter).
-
-    - Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
-
-        > [!NOTE]
-        > Alt+F4 is disabled in Windows 10, version 1703 (Creators Update) and later.
+    > The app will exit if the student signs in to an account from the lock screen.
+    > Progress made in the test may be lost or invalidated.
+- The student can exit the test by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>
 
 ## Permissive mode
 
-Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps.
+This mode enables students who need access to other apps, like accessibility tools, to use the apps.
 
-When permissive mode is triggered in lockdown mode, Take a Test transitions from lockdown mode to running windows mode on the user's desktop. The student can then run allowed apps during the test.
+When permissive mode is triggered in lock-down mode, Take a Test transitions from lock-down mode to running windows mode on the user's desktop. The student can then run allowed apps during the test.
 
 When running tests in this mode, keep the following points in mind:
-- Permissive mode isn't supported in kiosk mode (dedicated test account).
-- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode.
+- Permissive mode isn't supported in kiosk mode (dedicated test account)
+- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode
+
+## Troubleshoot Take a Test with the event viewer
+
+You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when a lock-down request has been received, device enrollment has succeeded, lock-down policies were successfully applied, and more.
+
+To enable viewing events in the Event Viewer:
+
+1. Open the `Event Viewer`
+1. Navigate to `Applications and Services Logs > Microsoft > Windows > Management-SecureAssessment`
+1. Select `Operational` > `Enable Log`
+
+To save the event logs:
+
+1. Select `Operational` > `Save All Events As…`
 
 ## Learn more
 

education/windows/take-a-test-multiple-pcs.md

@@ -1,272 +0,0 @@
----
-title: Set up Take a Test on multiple PCs
-description: Learn how to set up and use the Take a Test app on multiple PCs.
-keywords: take a test, test taking, school, set up on multiple PCs
-ms.prod: windows
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-ms.collection: education
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 08/10/2022
-ms.reviewer: 
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
----
-
-# Set up Take a Test on multiple PCs
-
-Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. 
-
-Follow the guidance in this topic to set up Take a Test on multiple PCs.
-
-## Set up a dedicated test account
-To configure a dedicated test account on multiple PCs, select any of the following methods:
-- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app)
-- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
-- [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
-- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
-- [Group Policy to deploy a scheduled task that runs a PowerShell script](#create-a-scheduled-task-in-group-policy) 
-
-### Set up a test account in the Set up School PCs app 
-If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. 
-
-If you set up Take a Test, the **Take a Test** button is added on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
-
-**Figure 1** - Configure Take a Test in the Set up School PCs app
-
-![Configure Take a Test in the Set up School PCs app.](images/takeatest/suspc_choosesettings_setuptakeatest.png)
-
-### Set up a test account in Intune for Education
-You can set up a test-taking account in Intune for Education. To do this, follow these steps:
-
-1. In Intune for Education, select **Take a Test profiles** from the menu.
-2. Click **+ Add Test Profile** to create an account.
-
-    **Figure 2** - Add a test profile in Intune for Education
-
-    ![Add a test profile in Intune for Education.](images/takeatest/i4e_takeatestprofile_addnewprofile.png)
-
-3. In the new profile page:
-   1. Enter a name for the profile.
-   2. Enter the assessment URL.
-   3. Toggle the switch to **Allow screen capture**.
-   4. Select a user account to use as the test-taking account.
-   5. Click **Save**.
-
-      **Figure 3** - Add information about the test profile
-
-      ![Add information about the test profile.](images/takeatest/i4e_takeatestprofile_newtestaccount.png)
-
-      After you save the test profile, you'll see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
-    
-4. In the test account page, click **Groups**.
-
-   **Figure 4** - Assign the test account to a group
-
-   ![Assign the test account to a group.](images/takeatest/i4e_takeatestprofile_accountsummary.png)
-
-5. In the **Groups** page, click **Change group assignments**.
-
-    **Figure 5** - Change group assignments
-
-    ![Change group assignments.](images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.png)
-
-6. In the **Change group assignments** page:
-   1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. 
-   2. Click **OK** when you're done making your selection.
-
-      **Figure 6** - Select the group(s) that will use the test account
-
-      ![Select the groups that will use the test account.](images/takeatest/i4e_takeatestprofile_groupassignment_selected.png)
-
-And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
-
-### Set up a test account in MDM or Configuration Manager
-You can configure a dedicated testing account through MDM or Configuration Manager by specifying a single account in the directory to be the test-taking account. Devices that have the test-taking policies can sign into the specified account to take the test.
-
-**Best practice**
-- Create a single account in the directory specifically for test taking 
-  - Active Directory example: Contoso\TestAccount
-  - Azure Active Directory example: testaccount@contoso.com
-
-- Deploy the policies to the group of test-taking devices
-
-**To enable this configuration**
-
-1. Launch your management console.
-2. Create a policy to set up single app kiosk mode using the following values:
-
-   - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
-   - **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
-
-     *Account* can be in one of the following formats:
-     - username (not recommended)
-     - domain\username
-     - computer name\\username (not recommended)
-     - username@tenant.com
-
-3. Create a policy to configure the assessment URL using the following values:
-
-    - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
-    - **String value** = *assessment URL*
-
-4. Create a policy that associates the assessment URL to the account using the following values:
-
-    - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
-    - **String value** = Enter the account that you specified in step 2, using the same account format.
-
-5. Deploy the policies to the test-taking devices.
-6. To take the test, the student signs in to the test account.
-
-### Set up a test account through Windows Configuration Designer
-To set up a test account through Windows Configuration Designer, follow these steps.
-
-1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
-   1. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
-   2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
-   3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
-
-      **Figure 7** - Add the account to use for test-taking
-
-      ![Add the account to use for test-taking.](images/wcd/wcd_settings_assignedaccess.png)
-
-      The account can be in one of the following formats:
-      - username
-      - domain\username
-      - computer name\\username
-      - username@tenant.com
-
-   4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
-      - In **LaunchURI**, enter the assessment URL.
-      - In **TesterAccount**, enter the test account you entered in step 3.
-
-3. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). 
-
-   - You'll see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username<em>\Windows Imaging and Configuration Designer (WICD)\*Project name</em>). 
-   - Copy the provisioning package to a USB drive.
-
-4. Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created.
-
-### Set up a tester account in Group Policy
-To set up a tester account using Group Policy, first create a PowerShell script that configures the tester account and assessment URL, and then create a scheduled task to run the script.
-
-#### Create a PowerShell script
-This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to:
-
-- Use your assessment URL for **$obj.LaunchURI**  
-- Use your tester account for **$obj.TesterAccount**
-- Use your tester account for **-UserName**
-
->[!NOTE]
->The account that you specify for the tester account must already exist on the device. For steps to create the tester account, see [Set up a dedicated test account](./take-a-test-single-pc.md#set-up-a-dedicated-test-account).
-
-```powershell
-$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
-$obj.LaunchURI='https://www.foo.com';
-$obj.TesterAccount='TestAccount';
-$obj.put()
-Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
-```
-
-#### Create a scheduled task in Group Policy
-1. Open the Group Policy Management Console.
-2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**.
-3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**.
-4. Right-click **Scheduled Tasks**, point to **New**, and select **Scheduled Task**.
-5. In the **New Scheduled Task Properties** dialog box, click **Change User or Group**.
-6. In the **Select User or Group** dialog box, click **Advanced**.
-7. In the **Advanced** dialog box, click **Find Now**.
-8. Select **System** in the search results
-9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**.
-10. Specify the operating system in the **Configure for** field.
-11. Navigate to the **Actions** tab.
-12. Create a new **Action**.
-13. Configure the action to **Start a program**.
-14. In the **Program/script** field, enter **powershell**.
-15. In the **Add arguments** field, enter **-file "\<path to powershell script>"**.
-16. Click **OK**.
-17. Navigate to the **Triggers** tab and create a new trigger.
-18. Specify the trigger to be **On a schedule**.
-19. Specify the trigger to be **One time**.
-20. Specify the time the trigger should start.
-21. Click **OK**.
-22. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**.
-23. Click **OK**.
-
-## Provide link to test
-Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
-
-**To provide a link to the test**
-
-1. Create the link to the test using schema activation.
-   - Create a link using a web UI
-
-     For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this option for teachers.
-
-     To get started, navigate to: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
-
-   - Create a link using schema activation
-
-     You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. 
-
-     For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
-
-2. Distribute the link. 
-
-    Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
-
-3. To take the test, have the students click on the link and provide user consent.
-
-### Create a link using schema activation
-One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
-
-**To enable schema activation for assessment URLs**
-
-1. Embed a link or create a desktop shortcut with:
-
-   ```http
-   ms-edu-secureassessment:<URL>#enforceLockdown
-   ```
-
-2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
-
-   - `&enableTextSuggestions` - Enables text suggestions
-   - `&requirePrinting` - Enables printing
-   - `&enableScreenCapture` - Enables screen capture
-   - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
-
-   If you exclude these parameters, the default behavior is disabled.
-
-   For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. The test web application may lock down the device once you've closed the apps.
-
-    > [!NOTE] 
-    > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:<URL>!enforcelockdown` is still supported, but not in combination with the new parameters.
-
-3. To enable permissive mode, don't include `enforceLockdown` in the schema parameters.
-
-   For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
-
-### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To create the shortcut, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
-
-1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
-2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
-3. Click **Next**.
-4. Type a name for the shortcut and then click **Finish**.
-
-Once the shortcut is created, you can copy it and distribute it to students.
-
-## Related topics
-
-[Take tests in Windows](take-tests-in-windows-10.md)
-
-[Set up Take a Test on a single PC](take-a-test-single-pc.md)
-
-[Take a Test app technical reference](take-a-test-app-technical.md)

education/windows/take-a-test-single-pc.md

@@ -1,136 +0,0 @@
----
-title: Set up Take a Test on a single PC
-description: Learn how to set up and use the Take a Test app on a single PC.
-keywords: take a test, test taking, school, set up on single PC
-ms.prod: windows
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-ms.collection: education
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 08/10/2022
-ms.reviewer: 
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
----
-# Set up Take a Test on a single PC
-
-To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic.
-
-## Set up a dedicated test account
-To configure the assessment URL and a dedicated testing account on a single PC, follow these steps.
-
-1. Sign into the Windows device with an administrator account.
-2. Open the **Settings** app and go to **Accounts > Access work or school**.
-3. Click **Set up an account for taking tests**.
-
-   **Figure 1** - Use the Settings app to set up a test-taking account
-
-   ![Use the Settings app to set up a test-taking account.](images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
-
-4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
-
-   **Figure 2** - Choose the test-taking account
-
-   ![Choose the test-taking account.](images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.png) 
-
-    > [!NOTE]  
-    > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
-
-5. In the **Set up an account for taking tests**, enter the assessment URL in the field under **Enter the test's web address**. 
-6. Select the options you want to enable during the test.
-   - To enable printing, select **Require printing**. 
-
-      > [!NOTE]  
-      > Make sure a printer is preconfigured on the Take a Test account if you're enabling this option.
-
-   - To enable teachers to monitor screens, select **Allow screen monitoring**.
-   - To allow text suggestions, select **Allow text suggestions**.
-
-7. Click **Save**.
-8. To take the test, the student must sign in using the test-taking account that you created.
-
-## Provide a link to the test
-Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
-
-**To provide a link to the test**
-
-1. Create the link to the test. 
-
-   There are different ways you can do this:
-   - Create a link using a web UI
-
-     For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
-
-     To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
-
-   - Create a link using schema activation
-
-     You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. 
-
-     For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
-
-2. Distribute the link.
-
-   Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. 
-
-   You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
-
-3. To take the test, have the students click on the link and provide user consent.
-
-   > [!NOTE] 
-   > If you enabled printing, the printer must be preconfigured for the account before the student takes the test.
-
-
-### Create a link using schema activation
-One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
-
-**To enable schema activation for assessment URLs**
-
-1. Embed a link or create a desktop shortcut with:
-
-   ```
-   ms-edu-secureassessment:<URL>#enforceLockdown
-   ```
-
-2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
-
-   - `&enableTextSuggestions` - Enables text suggestions
-   - `&requirePrinting` - Enables printing
-   - `&enableScreenCapture` - Enables screen capture
-   - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
-
-   If you exclude these parameters, the default behavior is disabled.
-
-   For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
-
-    > [!NOTE] 
-    > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:<URL>!enforcelockdown` is still supported, but not in combination with the new parameters.
-
-3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
-
-   For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
-
-
-### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
-
-1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
-2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
-3. Click **Next**.
-4. Type a name for the shortcut and then click **Finish**.
-
-Once the shortcut is created, you can copy it and distribute it to students.
-
-
-## Related topics
-[Take tests in Windows](take-tests-in-windows-10.md)
-
-[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
-
-[Take a Test app technical reference](take-a-test-app-technical.md)

education/windows/take-tests-in-windows-10.md

@@ -1,79 +0,0 @@
----
-title: Take tests in Windows
-description: Learn how to set up and use the Take a Test app.
-keywords: take a test, test taking, school, how to, use Take a Test
-ms.prod: windows
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-ms.collection: education
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 08/10/2022
-ms.reviewer: 
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
----
-
-# Take tests in Windows
-
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test:
-
-- Take a Test shows just the test and nothing else.
-- Take a Test clears the clipboard.
-- Students aren’t able to go to other websites.
-- Students can’t open or access other apps.
-- Students can't share, print, or record their screens unless enabled by the teacher or IT administrator
-- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
-- Cortana is turned off.
-
-## How to use Take a Test
-
-![Set up and user flow for the Take a Test app.](images/takeatest/take_a_test_flow_dark.png)
-
-There are several ways to configure devices for assessments, depending on your use case:
-
-- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL. 
-- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing.
-
-1. **Configure an assessment URL and a dedicated testing account**
-
-    In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-
-    There are different methods to configure the assessment URL and a dedicated testing account depending on whether you're setting up Take a Test on a single PC or multiple PCs.
-
-  - **For a single PC**
-        
-      You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
-
-  - **For multiple PCs**
-    
-      You can use any of these methods:
-    - Mobile device management (MDM) or Microsoft Endpoint Configuration Manager
-    - A provisioning package created in Windows Configuration Designer
-    - Group Policy to deploy a scheduled task that runs a Powershell script
-
-      You can also configure Take a Test using these options:
-    - Set up School PCs app
-    - Intune for Education
-
-      For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
-
-2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method** 
-
-    This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link.
-
-    You can enable this using a schema activation.
-
-
-## How to exit Take a Test
-To exit the Take a Test app at any time, press Ctrl+Alt+Delete.
-
-
-## Get more info
-- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d) to find out how.
-- To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).

education/windows/take-tests-in-windows.md

@@ -0,0 +1,100 @@
+---
+title: Take tests and assessments in Windows
+description: Description of the built-in Take a Test app for Windows and how to use it.
+ms.date: 09/30/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Take tests and assessments in Windows
+
+Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
+
+- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
+- access other applications
+- change system settings, such as display extension, notifications, updates
+- access Cortana
+- access content copied to the clipboard
+
+## How to use Take a Test
+
+There are different ways to use Take a Test, depending on the use case:
+
+- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
+- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
+
+![Set up and user flow for the Take a Test app.](images/takeatest/flow-chart.png)
+
+## Create a secure assessment link
+
+Anything hosted on the web can be presented in a locked down manner using the Take a Test app, not just assessments. To lock down online content, a URL must be embedded with a specific prefix and devices will be locked down when users open the link.
+
+To create a secure assessment link to the test, there are two options:
+
+- Create a link using a web application
+- Create a link using schema activation
+
+### Create a link using a web application
+
+For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:
+
+- Paste the link to the assessment URL
+- Select the options you want to allow during the test
+- Generate the link by selecting the button Create link
+
+This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
+
+### Create a link using schema activation
+
+For this option, you embed a URL with a specific prefix and specify parameters depending on what you want to allow during the test.
+The URL must be in the following format:
+
+```
+ms-edu-secureassessment:<URL>#enforceLockdown
+```
+
+To enable printing, screen capture, or both, use the above link and append one of these parameters:
+
+- `&enableTextSuggestions` - Enables text suggestions
+- `&requirePrinting` - Enables printing
+- `&enableScreenCapture` - Enables screen capture
+- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability.
+
+If these parameters aren't included, the default behavior is to disable the capabilities.
+
+For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. Take a Test will lock down the device once the applications are closed.
+
+To enable permissive mode, don't include `enforceLockdown` in the schema parameters. For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
+
+## Distribute the secure assessment link
+
+Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
+
+For example, you can create and copy the shortcut to the assessment URL to the students' desktop.
+
+To take the test, have the students open the link.
+
+> [!NOTE]
+> If you enabled printing, the printer must be pre-configured for the account before the student takes the test.
+
+:::image type="content" source="./images/takeatest/desktop-shortcuts.png" alt-text="Windows 11 SE desktop showing two shortcuts to assessment URLs." border="true":::
+
+> [!NOTE]
+> If using `enforceLockdown`, to exit the Take a Test app at any time, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>. Students will be prompted to type their password to get back to their desktop.
+
+## Additional information
+
+Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/office/).
+
+To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).

education/windows/tutorial-school-deployment/configure-device-settings.md

@@ -62,7 +62,7 @@ Settings that are commonly configured for student devices include:
 
 - Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
 - Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
-- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9]
+- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9]
 
 For more information, see [Windows device settings in Intune for Education][INT-3].
 

education/windows/tutorial-school-deployment/enroll-overview.md

@@ -33,15 +33,10 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
 :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
 
 Select one of the following options to learn the next steps about the enrollment method you chose:
-
-> [!div class="nextstepaction"]
-> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md)
-
-> [!div class="nextstepaction"]
-> [Next: Bulk enrollment with provisioning packages >](enroll-package.md)
-
-> [!div class="nextstepaction"]
-> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md)
+> [!div class="op_single_selector"]
+> - [Automatic Intune enrollment via Azure AD join](enroll-aadj.md)
+> - [Bulk enrollment with provisioning packages](enroll-package.md)
+> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
 
 <!-- Reference links in article -->
 

education/windows/windows-11-se-faq.yml

@@ -0,0 +1,68 @@
+### YamlMime:FAQ
+metadata:
+  title: Windows 11 SE Frequently Asked Questions (FAQ)
+  description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.   
+  ms.prod: windows
+  ms.technology: windows
+  author: paolomatarazzo
+  ms.author: paoloma
+  manager: aaroncz
+  ms.reviewer: 
+  ms.collection: education
+  ms.topic: faq
+  localizationpriority: medium
+  ms.date: 09/14/2022
+  appliesto:
+  - ✅ <b>Windows 11 SE</b>
+
+title: Common questions about Windows 11 SE
+summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
+
+sections:
+  - name: General
+    questions:
+      - question: What is Windows 11 SE?
+        answer: |
+          Windows 11 SE is a new cloud-first operating system that offers the power and reliability of Windows 11 with a simplified design and tools specially designed for schools.
+          To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
+      - question: Who is the Windows 11 SE designed for?
+        answer: |
+          Windows 11 SE is designed for students in grades K-8 who use a laptop provided by their school, in a 1:1 scenario.
+      - question: What are the major differences between Windows 11 and Windows 11 SE?
+        answer: |
+          Windows 11 SE was created based on feedback from educators who wanted a distraction-free experience for their students. Here are some of the differences that you'll find in Windows 11 SE:
+          - Experience a simplified user interface so you can stay focused on the important stuff
+          - Only IT admins can install apps. Users will not be able to access the Microsoft Store or download apps from the internet
+          - Use Snap Assist to maximize screen space on smaller screens with two-window snapping
+          - Store your Desktop, Documents, and Photos folders in the cloud using OneDrive, so your work is backed up and easy to find
+          - Express yourself and celebrate accomplishments with the *emoji and GIF panel* and *Stickers*
+  - name: Deployment
+    questions:
+      - question: Can I load Windows 11 SE on any hardware? 
+        answer: |
+          Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
+  - name: Applications and settings
+    questions:
+      - question: How can I install applications on Windows 11 SE?
+        answer: |
+          You can use Microsoft Intune to install applications on Windows 11 SE.
+          For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps).
+      - question: What apps will work on Windows 11 SE?
+        answer: |
+          Windows 11 SE supports all web applications and a curated list of desktop applications. You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list](/education/windows/windows-11-se-overview), then distribute it.
+          For more information, see [Considerations for Windows 11 SE](/education/windows/tutorial-school-deployment/configure-device-apps#considerations-for-windows-11-se).
+      - question: Why there's no application store on Windows 11 SE?
+        answer: |
+          IT Admins can manage system settings (including application installation and the application store) to ensure all students have a safe, distraction-free experience. On Windows SE devices, you have pre-installed apps from Microsoft, from your IT admin, and from your device manufacturer. You can continue to use web apps on the Microsoft Edge browser, as web apps do not require installation.
+          For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-app).
+      - question: What does the error 0x87D300D9 mean in the Intune for Education portal?
+        answer: |
+          This error means that the app you are trying to install is not supported on Windows 11 SE. If you have an app that fails with this error, then:
+          - Make sure the app is on the [available applications list](/education/windows/windows-11-se-overview#available-applications). Or, make sure your app is [approved for Windows 11 SE](/education/windows/windows-11-se-overview#add-your-own-applications)
+          - If the app is approved, then it's possible the app is not packaged correctly. For more information, [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps)
+          - If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own applications](/education/windows/windows-11-se-overview#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
+  - name: Out-of-box experience (OOBE)
+    questions:
+      - question: My Windows 11 SE device is stuck in OOBE, how can I troubleshoot it?
+        answer: |
+          To access the Settings application during OOBE on a Windows 11 SE device, press <kbd>Shift</kbd>+<kbd>F10</kbd>, then select the accessibility icon :::image type="icon" source="images/icons/accessibility.svg"::: on the bottom-right corner of the screen. From the Settings application, you can troubleshoot the OOBE process and, optionally, trigger a device reset.

education/windows/windows-11-se-overview.md

@@ -88,7 +88,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 |-----------------------------------------|-------------------|----------|------------------------------|
 | AirSecure                               | 8.0.0             | Win32    | AIR                          |
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
-| Brave Browser                           | 1.34.80           | Win32    | Brave                        |
+| Brave Browser                           | 106.0.5249.65     | Win32    | Brave                        |
 | Bulb Digital Portfolio                  | 0.0.7.0           | Store    | Bulb                         |
 | CA Secure Browser                       | 14.0.0            | Win32    | Cambium Development          |
 | Cisco Umbrella                          | 3.0.110.0         | Win32    | Cisco                        |
@@ -167,14 +167,6 @@ When the app is ready, Microsoft will update you. Then, you add the app to the I
 
 For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1].
 
-### 0x87D300D9 error with an app
-
-When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
-
-- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications)
-- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1]
-- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
-
 ## Related articles
 
 - [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2]

education/windows/windows-11-se-settings-list.md

@@ -17,7 +17,7 @@ appliesto:
 
 # Windows 11 SE for Education settings list
 
-Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings.
+Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings.
 
 This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).
 
@@ -61,45 +61,6 @@ The following settings can't be changed.
 | Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
 | Apps  | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).  |
 
-## What's available in the Settings app
-
-On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown.
-
-- Accessibility
-
-- Accounts
-  - Email & accounts
-
-- Apps
-
-- Bluetooth & devices
-  - Bluetooth
-  - Printers & scanners
-  - Mouse
-  - Touchpad
-  - Typing
-  - Pen
-  - AutoPlay
-
-- Network & internet
-  - WiFi
-  - VPN
-
-- Personalization
-  - Taskbar
-
-- Privacy & security
-
-- System
-  - Display
-  - Notifications
-  - Tablet mode
-  - Multitasking
-  - Projecting to this PC
-
-- Time & Language
-  - Language & region
-
 ## Next steps
 
 [Windows 11 SE for Education overview](windows-11-se-overview.md)

education/windows/windows-editions-for-education-customers.md

@@ -21,7 +21,7 @@ appliesto:
 
 Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
 
-Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
+Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
 
 Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
 

windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md

@@ -52,7 +52,7 @@ ms.date: 08/01/2022
 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
 - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
 - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
-- [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) <sup>Insider</sup>
+- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) <sup>Insider</sup>
 - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)<sup>10</sup>
 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>

windows/client-management/mdm/policy-csp-mixedreality.md

@@ -23,7 +23,7 @@ manager: aaroncz
     <a href="#mixedreality-aadgroupmembershipcachevalidityindays">MixedReality/AADGroupMembershipCacheValidityInDays</a>
   </dd>
   <dd>
-    <a href="#mixedreality-allowcaptiveportalpeforesignin">MixedReality/AllowCaptivePortalBeforeSignIn</a>
+    <a href="#mixedreality-allowcaptiveportalpeforelogon">MixedReality/AllowCaptivePortalBeforeLogon</a>
   </dd>
   <dd>
     <a href="#mixedreality-allowlaunchuriinsingleappkiosk">MixedReality/AllowLaunchUriInSingleAppKiosk</a>
@@ -103,7 +103,7 @@ Steps to use this policy correctly:
 <hr/>
 
 <!--Policy-->
-<a href="" id="mixedreality-allowcaptiveportalpeforesignin"></a>**MixedReality/AllowCaptivePortalBeforeSignIn**  
+<a href="" id="mixedreality-allowcaptiveportalpeforelogon"></a>**MixedReality/AllowCaptivePortalBeforeLogon**  
 
 <!--SupportedSKUs-->
 
@@ -127,11 +127,14 @@ Steps to use this policy correctly:
 <!--Description-->
 This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary.
 
-MixedReality/AllowCaptivePortalBeforeSignIn
+MixedReality/AllowCaptivePortalBeforeLogon
 
-The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn`
+The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon`
 
-Bool value
+Int value
+
+- 0: (Default) Off
+- 1: On
 
 <!--/Description-->
 

windows/client-management/mdm/secureassessment-csp.md

@@ -127,7 +127,7 @@ Example:
 
 ## Related topics
 
-[Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs)  
+[Set up Take a Test](/education/windows/take-a-test-multiple-pcs)  
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
 

windows/deployment/update/media-dynamic-update.md

@@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio
 Write-Output "$(Get-TS): Mounting WinRE"
 Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
 
-# Add servicing stack update
+# Add servicing stack update (Step 1 from the table)
 
-# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
-# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
+# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
+# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
+# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
+# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
+# combined cumulative update can be installed. 
 
-# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
-# This error should be caught and ignored, as the last step will be to apply the cumulative update 
-# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
 
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Now, attempt the combined cumulative update.
+# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should 
+# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct 
+# packages installed.
 
 try
 {
-    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null  
 }
 Catch
 {
@@ -221,6 +228,13 @@ Catch
     }
 }
 
+# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+
 #
 # Optional: Add the language to recovery environment
 #
@@ -301,21 +315,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
     Write-Output "$(Get-TS): Mounting WinPE"
     Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
 
-    # Add SSU
+    # Add servicing stack update (Step 9 from the table)
 
-    # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
-    # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+    # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+    # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
+    # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
+    # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
+    # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
+    # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
+    # combined cumulative update can be installed. 
 
-    # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+    # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+
+    # Now, attempt the combined cumulative update.
     # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
     # This error should be caught and ignored, as the last step will be to apply the cumulative update 
     # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
 
-    Write-Output "$(Get-TS): Adding package $SSU_PATH"
-    
     try
     {
-        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null  
     }
     Catch
     {
@@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
         }
     }
 
+    # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
+    # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+    # update. This second approach is commented out below.
+
+    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null 
+
     # Install lp.cab cab
     Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
@@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t
 # update Main OS
 #
 
-# Add servicing stack update
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+# Add servicing stack update (Step 18 from the table)
+
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, 
+# and installed first before the combined cumulative update can be installed. 
+
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
+
+# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+Write-Output "$(Get-TS): Adding package $LCU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null  
+
+# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
 
 # Optional: Add language to main OS
 Write-Output "$(Get-TS): Adding package $OS_LP_PATH"

windows/deployment/update/olympia/olympia-enrollment-guidelines.md

@@ -1,138 +1,42 @@
 ---
-title: Olympia Corp enrollment guidelines
-description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows client device or an Azure Active Directory-JOINED Windows client device.
-ms.author: aaroncz
+title: Olympia Corp Retirement
+description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022.
+ms.author: lizlong
 ms.topic: article
 ms.prod: w10
-ms.technology: windows
-author: aczechowski
+author: lizgt2000
 ms.reviewer: 
-manager: dougeby
-ms.custom: seo-marvel-apr2020
+manager: aaroncz
 ---
 
 # Olympia Corp
-
+<!-- 6472736 -->
 **Applies to**
 
 - Windows 10
 - Windows 11
 
-## What is Windows Insider Lab for Enterprise and Olympia Corp?
+## Retirement of Olympia Corp
 
-Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
+Olympia Corp, a virtual corporation was set up to reflect the IT infrastructure of real world businesses.</br>
+Olympia will be formally retired on October 31, 2022.</br>
+We'll begin unassigning Olympia licenses and deleting the Olympia feedback path on Feedback Hub. Olympia Corp will no longer be a part of Windows Insider Lab for Enterprise.
 
-As an Olympia user, you will have an opportunity to: 
+> [!WARNING]
+> To prevent data loss, Olympia participants need to complete the following:
+> - If you're using the provided Olympia licenses, make a back up of any data as you'll lose data once we unassign the licenses.
+> - Please remove your device from Olympia before October 31, 2022.
 
-- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
-- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
-- Validate and test pre-release software in your environment.
-- Provide feedback.
-- Interact with engineering team members through a variety of communication channels.
+To remove the account from Azure Active Directory, follow the steps below:
 
->[!Note]
->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice.
+  1. Open the **Settings** app.
+  1. Go to **Accounts** > **Access work or school**.
+  1. Select the connected account that you want to remove, then select **Disconnect**.
+  1. To confirm device removal, select **Yes**.
 
-For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
+- After removing your account from Olympia, log in to your device using your local account.
 
-To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
-
-## Enrollment guidelines
-
-Welcome to Olympia Corp. Here are the steps needed to enroll.
-
-As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Enterprise from Windows client Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows client Enterprise, we recommend you to upgrade.
-
-Choose one of the following two enrollment options:
-
-- To set up an Azure Active Directory-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
-
-- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to  [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
-
-<a id="enrollment-keep-current-edition"></a>
-
-### Set up an Azure Active Directory-REGISTERED Windows client device
-
-This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Azure AD register FAQ](/azure/active-directory/devices/faq) for additional information.
-
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)).
-
-    ![Settings -> Accounts.](images/1-1.png)
-
-2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**.
-
-3. Select **Connect** and enter your **Olympia corporate account** (for example, username@olympia.windows.com). Select **Next**.
-
-    ![Entering account information when setting up a work or school account.](images/1-3.png)
-
-4. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password.
-
-    > [!NOTE]
-    > Passwords should contain 8-16 characters, including at least one special character or number.
-
-    ![Update your password.](images/1-4.png)
-
-5. Read the **Terms and Conditions**. Select **Accept** to participate in the program.
-
-6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details.
-
-7. Create a PIN for signing into your Olympia corporate account.
-
-8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**.
-
-    > [!NOTE]
-    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
-
-9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
-
-<a id="enrollment-upgrade-to-enterprise"></a>
-
-### Set up Azure Active Directory-JOINED Windows client device
-
-- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) for more information.
-
-    > [!NOTE]
-    > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key).
-
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)).
-
-    ![Settings -> Accounts.](images/1-1.png)
-
-2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**.
-    
-3. Select **Connect**, then select **Join this device to Azure Active Directory**.
-
-    ![Joining device to Azure AD.](images/2-3.png)
-
-4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Select **Next**.
-
-    ![Set up a work or school account.](images/2-4.png)
-
-5. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password.
-
-    > [!NOTE]
-    > Passwords should contain 8-16 characters, including at least one special character or number.
-
-    ![Entering temporary password.](images/2-5.png)
-
-6. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**.
-
-7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details.
-
-8. Create a PIN for signing into your Olympia corporate account.
-
-9. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**.
-
-10. Restart your device.
-
-11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows client Enterprise.
-
-12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**.
-
-    > [!NOTE]
-    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
-
-13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
-
->[!NOTE]
-> Your Windows client Enterprise license won't be renewed if your device isn't connected to Olympia.
+- If you're looking for another program to join, the program we recommend is the Windows Insider Program for Business. Follow the instructions below to register:
+[Register for the Windows 10 Insider Program for Business](/windows-insider/business/register)
+<!-- https://learn.microsoft.com/en-us/windows-insider/business/register -->
+Thank you for your participation in Olympia and email Windows Insider Lab for Enterprise [olympia@microsoft.com](mailto:olympia@microsoft.com) with any questions.

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -25,7 +25,7 @@ appliesto:
 
 ## Default Enablement
 
-Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
+Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
 
 ### Requirements for automatic enablement
 
@@ -33,18 +33,26 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
 
 |Component|Requirement|
 |---|---|
-|Operating System|Windows 11 Enterprise 22H2|
+|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**|
 |Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
-|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
+|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
 
 > [!NOTE]
 > If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
 
+> [!NOTE]
+> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro).
+> 
+> To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard).
+
 ## Enable Windows Defender Credential Guard
 
 Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
+> [!NOTE]
+> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
+
 ### Enable Windows Defender Credential Guard by using Group Policy
 
 You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
@@ -230,24 +238,54 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 
 ## Disable Windows Defender Credential Guard
 
-To disable Windows Defender Credential Guard, you can use the following set of procedures or the [HVCI and Windows Defender Credential Guard hardware readiness tool](#disable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
+Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and did not have it enabled prior to the update, it is sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
 
-1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**).
+If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. Note that the default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
 
-1. Delete the following registry settings:
+If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
+
+Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys).
+
+Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine).
+
+For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security).
+
+### Disabling Windows Defender Credential Guard using Group Policy
+
+If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.
+
+1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled":
+
+   :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled.":::
+
+1. Restart the machine.
+
+### Disabling Windows Defender Credential Guard using Registry Keys
+
+If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it is sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
+
+1. Change the following registry settings to 0:
 
    - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
 
    - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
 
-1. If you also wish to disable virtualization-based security delete the following registry settings:
+     > [!NOTE]
+     > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0.
 
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity`
+1. Restart the machine.
 
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures`
+### Disabling Windows Defender Credential Guard with UEFI Lock
 
-     > [!IMPORTANT]
-     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change.
+
+1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled".
+
+1. Change the following registry settings to 0:
+
+   - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
+
+   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
 
 1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
 
@@ -262,37 +300,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
    mountvol X: /d
    ```
 
-1. Restart the PC.
-
-1. Accept the prompt to disable Windows Defender Credential Guard.
-
-1. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
-
-    > [!NOTE]
-    > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
-    >
-    > ```cmd
-    > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-    > bcdedit /set vsmlaunchtype off
-    > ```
-
-For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](../../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
-
-> [!NOTE]
-> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
-
-### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
-
-You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-
-```powershell
-DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
-```
-
-> [!IMPORTANT]  
-> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
->
-> This is a known issue.
+1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine.
 
 ### Disable Windows Defender Credential Guard for a virtual machine
 
@@ -301,3 +309,31 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m
 ```powershell
 Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ```
+
+## Disabling Virtualization-Based Security
+
+Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS.
+
+> [!IMPORANT]
+> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects.
+
+1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled".
+
+1. Delete the following registry settings:
+
+   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity`
+
+   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures`
+
+     > [!IMPORTANT]
+     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+
+1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above:
+
+     >
+     > ```cmd
+     > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+     > bcdedit /set vsmlaunchtype off
+     > ```
+
+1. Restart the PC.

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -101,7 +101,7 @@ The following tables describe baseline protections, plus protections for improve
 |Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
+|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
 
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg

@@ -0,0 +1,3 @@
+<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg

@@ -0,0 +1,24 @@
+<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0078d4" />
+      <stop offset="0.82" stop-color="#5ea0ef" />
+    </linearGradient>
+    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#1490df" />
+      <stop offset="0.98" stop-color="#1f56a3" />
+    </linearGradient>
+    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#d2ebff" />
+      <stop offset="1" stop-color="#f0fffd" />
+    </linearGradient>
+  </defs>
+  <title>Icon-intune-329</title>
+  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
+  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
+  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
+  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
+  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
+  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
+  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg

@@ -0,0 +1,20 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#32bedd" />
+      <stop offset="0.175" stop-color="#32caea" />
+      <stop offset="0.41" stop-color="#32d2f2" />
+      <stop offset="0.775" stop-color="#32d4f5" />
+    </linearGradient>
+  </defs>
+  <title>MsPortalFx.base.images-10</title>
+  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
+    <g>
+      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
+      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
+      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
+      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
+      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
+    </g>
+  </g>
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg

@@ -0,0 +1,22 @@
+<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#76bc2d" />
+      <stop offset="0.32" stop-color="#73b82c" />
+      <stop offset="0.65" stop-color="#6cab29" />
+      <stop offset="0.99" stop-color="#5e9724" />
+      <stop offset="1" stop-color="#5e9624" />
+    </linearGradient>
+    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0078d4" />
+      <stop offset="0.17" stop-color="#1c84dc" />
+      <stop offset="0.38" stop-color="#3990e4" />
+      <stop offset="0.59" stop-color="#4d99ea" />
+      <stop offset="0.8" stop-color="#5a9eee" />
+      <stop offset="1" stop-color="#5ea0ef" />
+    </linearGradient>
+  </defs>
+  <title>Icon-general-18</title>
+  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
+  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
+  <path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
+</svg>

windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md

@@ -8,7 +8,7 @@ ms.author: v-mathavale
 ms.reviewer: paoloma
 manager: aaroncz
 ms.localizationpriority: medium
-ms.date: 06/21/2022
+ms.date: 10/07/2022
 adobe-target: true
 appliesto:
 - ✅ <b>Windows 11, version 22H2</b>
@@ -40,22 +40,36 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
 
 ## Configure Enhanced Phishing Protection for your organization
 
-Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP.
 
-#### [✅ **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**:
+
+|Setting|Description|
+|---------|---------|
+|Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.<li> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.</li><li> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.</li>|
+|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<li> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
 Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
 
 |Setting|Description|
 |---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.<br><br> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.<br><br> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. <br><br>If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it. <br><br> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.<br> <br> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.<li> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.</li><li> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.</li>|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<li> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
 
-#### [✅ **CSP**](#tab/csp)
+#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
 
-Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
+Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1].
 
 | Setting                 | OMA-URI                                                                   | Data type |
 |-------------------------|---------------------------------------------------------------------------|-----------|
@@ -70,9 +84,18 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](
 
 By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.  
 
-To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
 
-#### [✅ **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+|Settings catalog element|Recommendation|
+|---------|---------|
+|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
+|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
+|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
+|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
+#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
 |Group Policy setting|Recommendation|
 |---------|---------|
@@ -81,7 +104,7 @@ To better help you protect your organization, we recommend turning on and using
 |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
 |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
 
-#### [✅ **CSP**](#tab/csp)
+#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
   
 |MDM setting|Recommendation|
 |---------|---------|
@@ -99,3 +122,9 @@ To better help you protect your organization, we recommend turning on and using
 - [Threat protection](../index.md)
 - [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
 - [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
+
+------------
+
+[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
+
+[MEM-2]: /mem/intune/configuration/settings-catalog

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md

@@ -6,11 +6,11 @@ ms.prod: m365-security
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: jogeurte
+ms.reviewer: aaroncz
 ms.author: jogeurte
 ms.manager: jsuther
 manager: dansimp
-ms.date: 03/08/2022
+ms.date: 10/06/2022
 ms.technology: windows-sec
 ms.topic: article
 ms.localizationpriority: medium
@@ -27,13 +27,15 @@ ms.localizationpriority: medium
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
+This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
 
 > [!NOTE]
 > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
 
 ## Deploying policies for Windows 10 version 1903 and above
 
+You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+
 1. Initialize the variables to be used by the script.
 
     ```powershell
@@ -49,7 +51,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
    Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
    ```
 
-3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.
+3. Repeat steps 1-2 as appropriate to deploy more WDAC policies.
 4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.
 
    ```powershell
@@ -82,7 +84,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
 
 In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
 
-1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: 
+1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: 
 
     ```powershell
    $MountPoint = 'C:\EFIMount'

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 06/27/2022
+ms.date: 10/06/2022
 ms.technology: windows-sec
 ---
 
@@ -31,13 +31,17 @@ ms.technology: windows-sec
 >
 > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
 
-Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
+Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. 
+
+You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+
+The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
 
 To deploy and manage a Windows Defender Application Control policy with Group Policy:
 
 1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
 
-2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
+2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**.
 
    > [!NOTE]
    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
@@ -46,15 +50,15 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
 
 3. Name the new GPO. You can choose any name.
 
-4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**.
 
-5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
+5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**.
 
     ![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png)
 
 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
 
-    In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin.
+    In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b.
 
     > [!NOTE]
     > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
@@ -62,6 +66,6 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
     ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png)
 
     > [!NOTE]
-    > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+    > You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
 
 7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md

@@ -6,10 +6,10 @@ ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 06/27/2022
+ms.date: 10/06/2022
 ms.topic: how-to
 ---
 
@@ -48,19 +48,17 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
 > [!NOTE]
 > Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
 
+You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+
 ### Deploy custom WDAC policies on Windows 10 1903+
 
 Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
 
 The steps to use Intune's custom OMA-URI functionality are:
 
-1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
+1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
 
-2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
-
-3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
-
-4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
+2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
     - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
     - **Data type**: Base64 (file)
     - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md

@@ -11,9 +11,10 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jgeurten
-ms.reviewer: isbrahm
+ms.reviewer: aaroncz
 ms.author: dansimp
 manager: dansimp
+ms.date: 10/07/2022
 ---
 
 # Microsoft recommended driver block rules
@@ -25,36 +26,32 @@ manager: dansimp
 - Windows Server 2016 and above
 
 >[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
 
 - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
 - Malicious behaviors (malware) or certificates used to sign malware
 - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
 
-Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
-](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
 
 ## Microsoft vulnerable driver blocklist
 
 <!-- MAXADO-6286432 -->
 
-Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met:
-
-| Condition | Windows 10 or 11 | Windows 11 22H2 or later |
-|--|:--:|:--:|
-| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: |
-| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: |
-| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: |
-| Clean install of Windows | :x: | :heavy_check_mark: |
+With Windows 11 2022 update, the vulnerable driver blocklist  is enabled by default for all devices, and can be turned on or off via the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app. The vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active. Users can opt in to HVCI using the Windows Security app, and HVCI is on by-default for most new Windows 11 devices.
 
 > [!NOTE]
-> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist.
+> The option to turn Microsoft's vulnerable driver blocklist on or off using the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
+
+The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing.
+
+Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
 
 ## Blocking vulnerable drivers using WDAC
 
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
 
 > [!IMPORTANT]
 > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
@@ -78,6 +75,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <Rule>
       <Option>Enabled:Audit Mode</Option>
     </Rule>
+    <Rule>
+      <Option>Disabled:Script Enforcement</Option>
+    </Rule>
+    <Rule>
+      <Option>Enabled:Update Policy No Reboot</Option>
+    </Rule>
   </Rules>
   <!--EKUS-->
   <EKUs />
@@ -2178,8 +2181,29 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
 </details>
 
 > [!NOTE]
-> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
+> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
+
+## Steps to download and apply the vulnerable driver blocklist binary
+
+If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps:
+
+1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
+2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
+3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
+4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
+5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
+
+To check that the policy was successfully applied on your computer:
+
+1. Open Event Viewer
+2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
+3. Select **Filter Current Log...**
+4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK
+5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
+
+> [!NOTE]
+> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
 
 ## More information
 
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
+- [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies)

windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md

@@ -9,7 +9,7 @@ author: jgeurten
 ms.reviewer: aaroncz
 ms.author: jogeurte
 manager: jsuther
-ms.date: 06/27/2022
+ms.date: 10/06/2022
 ms.topic: overview
 ---
 
@@ -26,9 +26,31 @@ ms.topic: overview
 
 You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding.
 
+## Convert your WDAC policy XML to binary
+
+Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $WDACPolicyXMLFile variable to point to your WDAC policy XML file.
+
+   ```powershell
+    ## Update the path to your WDAC policy XML
+    $WDACPolicyXMLFile = $env:USERPROFILE"\Desktop\MyWDACPolicy.xml"
+    [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile
+    if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022)
+    {
+        $PolicyID = $WDACPolicy.SiPolicy.PolicyID
+        $PolicyBinary = $PolicyID+".cip"
+    }
+    else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC)
+    {
+        $PolicyBinary = "SiPolicy.p7b"
+    }
+    
+    ## Binary file will be written to your desktop
+    ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary
+   ```
+
 ## Plan your deployment
 
-As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you'll manage with Windows Defender Application Control and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
+As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with WDAC and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
 
 All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.