Merge branch 'master' into deniseb-docbugs

.openpublishing.redirection.json

@@ -14085,6 +14085,11 @@
       "redirect_url": "/microsoft-store/prerequisites-microsoft-store-for-business",
       "redirect_document_id": false
     },
+    {
+     "source_path": "store-for-business/manage-mpsa-software-microsoft-store-for-business.md",
+     "redirect_url": "/microsoft-store/index",
+     "redirect_document_id": false
+    },
     {
       "source_path": "windows/manage/reset-a-windows-10-mobile-device.md",
       "redirect_url": "/windows/client-management/reset-a-windows-10-mobile-device",

store-for-business/TOC.yml

@@ -51,8 +51,6 @@
           href: add-profile-to-devices.md
         - name: Microsoft Store for Business and Education PowerShell module - preview
           href: microsoft-store-for-business-education-powershell-module.md
-        - name: Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
-          href: manage-mpsa-software-microsoft-store-for-business.md
         - name: Working with solution providers
           href: /microsoft-365/commerce/manage-partners
     - name: Billing and payments

store-for-business/acquire-apps-microsoft-store-for-business.md

@@ -11,11 +11,14 @@ manager: scotv
 ms.reviewer: 
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/10/2021
+ms.date: 07/21/2021
 ---
 
 # Acquire apps in Microsoft Store for Business and Education
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 

store-for-business/add-profile-to-devices.md

@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
-ms.date: 2/9/2018
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ms.topic: conceptual
@@ -19,6 +19,9 @@ ms.localizationpriority: medium
 **Applies to**
 -   Windows 10
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot).
 
 Watch this video to learn more about Windows Autopilot in Microsoft Store for Business. </br>

store-for-business/add-unsigned-app-to-code-integrity-policy.md

@@ -12,11 +12,14 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/10/2021
+ms.date: 07/21/2021
 ---
 
 # Add unsigned app to code integrity policy
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 > [!IMPORTANT]
 > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
 >

store-for-business/app-inventory-management-microsoft-store-for-business.md

@@ -11,7 +11,7 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 10/23/2018
+ms.date: 07/21/2021
 ---
 
 # App inventory management for Microsoft Store for Business and Education
@@ -21,6 +21,9 @@ ms.date: 10/23/2018
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. 
 
 All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.

store-for-business/apps-in-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Apps in Microsoft Store for Business and Education
@@ -23,6 +23,9 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Microsoft Store for Business and Education has thousands of apps from many different categories.
 
 These app types are supported in Microsoft Store for Business and Education:

store-for-business/assign-apps-to-employees.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/13/2017
+ms.date: 07/21/2021
 ---
 
 # Assign apps to employees
@@ -23,6 +23,9 @@ ms.date: 10/13/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization.
 
 **To assign an app to an employee**

store-for-business/billing-payments-overview.md

@@ -10,13 +10,16 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Billing and payments
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Access invoices and managed your payment methods.
 
 ## In this section

store-for-business/billing-profile.md

@@ -10,12 +10,16 @@ author: trudyha
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Understand billing profiles
+
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. 
 
 Billing profiles include:

store-for-business/billing-understand-your-invoice-msfb.md

@@ -9,13 +9,16 @@ author: trudyha
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Understand your Microsoft Customer Agreement invoice
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 The invoice provides a summary of your charges and provides instructions for payment. It’s available for
 download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).
 

store-for-business/configure-mdm-provider-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 1/6/2018
+ms.date: 07/21/2021
 ---
 
 # Configure an MDM provider
@@ -21,6 +21,9 @@ ms.date: 1/6/2018
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
 
 Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business

store-for-business/device-guard-signing-portal.md

@@ -12,11 +12,14 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Device Guard signing
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 > [!IMPORTANT]
 > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
 >

store-for-business/distribute-apps-from-your-private-store.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/31/2018
+ms.date: 07/21/2021
 ---
 
 # Distribute apps using your private store
@@ -22,6 +22,9 @@ ms.date: 10/31/2018
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
 
 You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app.

store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/13/2017
+ms.date: 07/21/2021
 ---
 
 # Distribute apps to your employees from Microsoft Store for Business and Education
@@ -23,6 +23,9 @@ ms.date: 10/13/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store.
 
 ## In this section

store-for-business/distribute-apps-with-management-tool.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Distribute apps with a management tool
@@ -23,6 +23,9 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 
 Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.

store-for-business/distribute-offline-apps.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Distribute offline apps
@@ -23,6 +23,9 @@ ms.date: 10/17/2017
 - Windows 10
 - Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
 
 ## Why offline-licensed apps?

store-for-business/find-and-acquire-apps-overview.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Find and acquire apps
@@ -23,6 +23,9 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
 
 ## In this section

store-for-business/index.md

@@ -11,7 +11,7 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: high
-ms.date: 03/10/2021
+ms.date: 07/21/2021
 ---
 
 # Microsoft Store for Business and Education
@@ -21,6 +21,9 @@ ms.date: 03/10/2021
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
 
 > [!IMPORTANT]

store-for-business/manage-access-to-private-store.md

@@ -11,7 +11,7 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Manage access to private store
@@ -22,6 +22,9 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
 
 You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Microsoft Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available.

store-for-business/manage-apps-microsoft-store-for-business-overview.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Manage apps in Microsoft Store for Business and Education
@@ -22,6 +22,9 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. 
 
 ## In this section

store-for-business/manage-mpsa-software-microsoft-store-for-business.md

@@ -1,63 +0,0 @@
----
-title: Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
-description: Software purchased under Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
-ms.topic: conceptual
-ms.localizationpriority: medium
-ms.date: 3/20/2018
-ms.reviewer: 
-manager: dansimp
----
-
-# Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-Software purchased with the Microsoft Products and Services Agreement (MPSA) can now be managed in Microsoft Store for Business. This allows customers to manage online software purchases in one location.
-
-There are a couple of things you might need to set up to manage MPSA software purchases in Store for Business.
-
-**To manage MPSA software in Microsoft Store for Business**
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
-2. Click **Manage**, and then click **My Organization**.
-3. Click **Connected tenants** to see purchasing accounts and the tenants that they are connected to.
-
-## Add tenant
-The tenant or tenants that are added to your purchasing account control how you can distribute software to people in your organization. If there isn't a tenant listed for your purchasing account, you'll need to add one before you can use or manage the software you've purchased. When we give you a list to choose from, tenants are grouped by domain.
-
-**To add a tenant to a purchasing account**
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
-2. Click **Manage**, and then click **My Organization**.
-3. Click **Connected tenants**, and then click the ellipses for a purchasing account without a tenant listed.
-4. Click **Choose a tenant**, and then click **Submit**.
-
-If you don't see your tenant in the list, you can add the name of your tenant
-
-**To add the name of your tenant**
-1. On **Add a tenant**, click **Don't see your tenant?**.
-2. Enter a domain name, and then click **Next**, and then click **Done**.
-
-You'll need to get permissions for the admin that manages the domain you want to add. We'll take you to Business Center Portal where you can manage permissions and roles. The admin will need to be the **Account Manager**.
-
-## Add global admin
-In some cases, we might not have info on who the global admin is for the tenant that you select. It might be that the tenant is unmanaged, and you'll need to identify a global admin. Or, you might only need to share account info for the global admin.
-
-If you need to nominate someone to be the global admin, they need sufficient permissions:
-- someone who can distribute software
-- in Business Center Portal (BCP), it should be someone with **Agreement Admin** role
-
-**To add a global admin to a tenant**
-
-We'll ask for a global admin if we need that info when you add a tenant to a purchasing account. You'd see the request for a global admin before returning to **Store for Business**.
-
--  On **Add a Global Admin**, click **Make me the Global Admin**, and then click **Submit**.
--or-
--  On **Add a Global Admin**, type a name in **Invite someone else**, and then click **Submit**.

store-for-business/manage-orders-microsoft-store-for-business.md

@@ -9,13 +9,16 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 11/10/2017
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Manage app orders in Microsoft Store for Business and Education
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds.
 
 **Order history** lists orders in chronological order and shows:

store-for-business/manage-private-store-settings.md

@@ -11,7 +11,7 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 3/29/2018
+ms.date: 07/21/2021
 ms.localizationpriority: medium
 ---
 
@@ -22,6 +22,9 @@ ms.localizationpriority: medium
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
 
 The name of your private store is shown on a tab in Microsoft Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com).

store-for-business/manage-settings-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 2/19/2018
+ms.date: 07/21/2021
 ---
 
 # Manage settings for Microsoft Store for Business and Education
@@ -22,6 +22,9 @@ ms.date: 2/19/2018
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
 
 ## In this section

store-for-business/manage-users-and-groups-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Manage user accounts in Microsoft Store for Business and Education
@@ -23,6 +23,9 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
 
 ## Why Azure AD accounts?

store-for-business/microsoft-store-for-business-education-powershell-module.md

@@ -9,7 +9,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/22/2017
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
@@ -19,6 +19,9 @@ manager: dansimp
 **Applies to**
 -   Windows 10
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
 
 > [!NOTE]

store-for-business/microsoft-store-for-business-overview.md

@@ -12,7 +12,7 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/10/2021
+ms.date: 07/21/2021
 ---
 
 # Microsoft Store for Business and Microsoft Store for Education overview
@@ -22,6 +22,9 @@ ms.date: 03/10/2021
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 

store-for-business/notifications-microsoft-store-business.md

@@ -13,7 +13,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 07/21/2021
 ---
 
 # Notifications in Microsoft Store for Business and Education
@@ -24,6 +24,9 @@ ms.date: 07/27/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. 
 
 ## Notifications for admins

store-for-business/payment-methods.md

@@ -10,12 +10,16 @@ author: trudyha
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Payment methods
+
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
 - VISA
 - MasterCard

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/10/2021
+ms.date: 07/21/2021
 ---
 
 # Prerequisites for Microsoft Store for Business and Education
@@ -22,6 +22,9 @@ ms.date: 03/10/2021
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 

store-for-business/release-history-microsoft-store-business-education.md

@@ -8,19 +8,22 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 10/31/2018
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Microsoft Store for Business and Education release history
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. 
 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 
 ## September 2018
-- **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](https://https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
+- **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](/microsoft-store/manage-private-store-settings#private-store-performance)
 
 ## August 2018
 - **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](./acquire-apps-microsoft-store-for-business.md#allow-app-requests)

store-for-business/roles-and-permissions-microsoft-store-for-business.md

@@ -13,7 +13,7 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/16/2021
+ms.date: 07/21/2021
 ---
 
 # Roles and permissions in Microsoft Store for Business and Education
@@ -23,6 +23,9 @@ ms.date: 03/16/2021
 - Windows 10
 - Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 
@@ -36,11 +39,11 @@ This table lists the global user accounts and the permissions they have in Micro
 
 |                                |  Global Administrator | Billing Administrator |
 | ------------------------------ | --------------------- | --------------------- |
-| Sign up for Microsoft Store for Business and Education |  X       | X             |
-| Modify company profile settings | X                    | X                     |
-| Purchase apps                  |  X                    | X                     |
-| Distribute apps                |  X                    | X                     |
-| Purchase subscription-based software  |  X             | X                     |
+| **Sign up for Microsoft Store for Business and Education** |  X       | X             |
+| **Modify company profile settings** | X                    | X                     |
+| **Purchase apps**                  |  X                    | X                     |
+| **Distribute apps**                |  X                    | X                     |
+| **Purchase subscription-based software**  |  X             | X                     |
 
 - **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
 
@@ -52,12 +55,12 @@ This table lists the roles and their permissions.
 
 |                                |  Admin | Purchaser | Device Guard signer |
 | ------------------------------ | ------ | --------  | ------------------- |
-| Assign roles                   | X      |           |                     |
-| Manage Microsoft Store for Business and Education settings |  X |           |                     |
-| Acquire apps                   | X      | X         |                     |
-| Distribute apps                | X      | X         |                     |
-| Sign policies and catalogs     | X      |           |                     |
-| Sign Device Guard changes      | X      |           |  X                   |
+| **Assign roles**                   | X      |           |                     |
+| **Manage Microsoft Store for Business and Education settings** |  X |           |                     |
+| **Acquire apps**                   | X      | X         |                     |
+| **Distribute apps**                | X      | X         |                     |
+| **Sign policies and catalogs**     | X      |           |                     |
+| **Sign Device Guard changes**      | X      |           |  X                   |
 
 These permissions allow people to:
 

store-for-business/settings-reference-microsoft-store-for-business.md

@@ -12,11 +12,15 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 07/21/2021
 ---
 
 # Settings reference: Microsoft Store for Business and Education
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
+
 The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
 
 | Setting              | Description  | Location under **Manage** |

store-for-business/sign-code-integrity-policy-with-device-guard-signing.md

@@ -12,11 +12,15 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 07/21/2021
 ---
 
 # Sign code integrity policy with Device Guard signing
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
+
 > [!IMPORTANT]
 > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
 >

store-for-business/sign-up-microsoft-store-for-business-overview.md

@@ -12,7 +12,7 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/10/2021
+ms.date: 07/21/2021
 ---
 
 # Sign up and get started
@@ -22,6 +22,9 @@ ms.date: 03/10/2021
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
 
 > [!IMPORTANT]
@@ -32,6 +35,6 @@ IT admins can sign up for Microsoft Store for Business and Education, and get st
 | Topic | Description |
 | ----- | ----------- |
 | [Microsoft Store for Business and Education overview](./microsoft-store-for-business-overview.md) | Learn about Microsoft Store for Business. |
-| [Prerequisites for Microsoft Store for Business and Education](./prerequisites-microsoft-store-for-business.md) | There are a few prerequisites for using Microsoft Store for Business and Education.](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) |
+| [Prerequisites for Microsoft Store for Business and Education](./prerequisites-microsoft-store-for-business.md) | There are a few prerequisites for using Microsoft Store for Business and Education.](microsoft-store/prerequisites-microsoft-store-for-business) |
 | [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
 | [Settings reference: Microsoft Store for Business and Education](./settings-reference-microsoft-store-for-business.md) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. |

store-for-business/troubleshoot-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/13/2017
+ms.date: 07/21/2021
 ---
 
 # Troubleshoot Microsoft Store for Business
@@ -22,6 +22,9 @@ ms.date: 10/13/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Troubleshooting topics for Microsoft Store for Business.
 
 ## Can't find apps in private store

store-for-business/update-microsoft-store-for-business-account-settings.md

@@ -10,12 +10,16 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 03/18/2019
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Update Billing account settings
+
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 A billing account contains defining information about your organization. 
 
 >[!NOTE]

store-for-business/whats-new-microsoft-store-business-education.md

@@ -8,22 +8,31 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 10/31/2018
+ms.date: 07/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
 
 # What's new in Microsoft Store for Business and Education
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Microsoft Store for Business and Education regularly releases new and improved features.  
 
 ## Latest updates for Store for Business and Education
 
 **October 2018**
 
-|  |  |
-|-----------------------|---------------------------------|
-| ![Security groups](images/security-groups-icon.png) |**Use security groups with Private store apps**<br /><br /> On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store. <br /><br />[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+:::row:::
+   :::column span="1":::
+   ![Security groups](images/security-groups-icon.png)
+   :::column-end:::
+   :::column span="1":::
+   **Use security groups with Private store apps**<br /><br /> On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store. <br /><br />[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education
+   :::column-end:::
+:::row-end:::
+
 
 <!---
 We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!

store-for-business/working-with-line-of-business-apps.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 3/19/2018
+ms.date: 07/21/2021
 ---
 
 # Working with line-of-business apps
@@ -22,6 +22,9 @@ ms.date: 3/19/2018
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+
 Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
 
 Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in Microsoft Store, and then can be managed or deployed using the same process as any other app that has been acquired through Microsoft Store.

windows/client-management/manage-device-installation-with-group-policy.md

@@ -0,0 +1,684 @@
+---
+title: Manage Device Installation with Group Policy (Windows 10)
+description: Find out how to manage Device Installation Restrictions with Group Policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: barakm
+ms.date: 07/05/2021
+ms.reviewer: 
+manager: barakm
+ms.author: barakm
+ms.topic: article
+---
+
+# Manage Device Installation with Group Policy
+
+
+**Applies to**
+
+- Windows 10, Windows Server 2022
+
+
+## Summary
+By using Windows 10 operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
+
+## Introduction
+
+### General
+This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows 10 versions starting with RS5 (1809). The guide includes the following scenarios:
+
+- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
+- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
+
+This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices.
+
+The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer.
+
+It is important to understand that the Group Policies that are presented in this guide are only apply to machines/machine-groups, not to users/user-groups.
+
+> [!IMPORTANT]
+> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
+
+### Who Should Use This Guide?
+
+This guide is targeted at the following audiences:
+
+- Information technology planners and analysts who are evaluating Windows 10 and Windows Server 2022
+- Enterprise information technology planners and designers
+- Security architects who are responsible for implementing trustworthy computing in their organization
+- Administrators who want to become familiar with the technology
+
+### Benefits of Controlling Device Installation Using Group Policy
+
+Restricting the devices that users can install reduces the risk of data theft and reduces the cost of support.
+
+#### Reduce the risk of data theft
+
+It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media. For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data.
+
+#### Reduce support costs
+
+You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion.
+
+
+## Scenario Overview
+
+The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
+
+Group Policy guides:
+
+- [Create a Group Policy Object (Windows 10) - Windows security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
+- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm)
+
+### Scenario #1: Prevent installation of all printers
+
+In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the ‘prevent/allow’ functionality of Device Installation policies in Group Policy.
+
+### Scenario #2: Prevent installation of a specific printer
+
+In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one.
+
+### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
+
+In this scenario, you will combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies.
+
+### Scenario #4: Prevent installation of a specific USB device
+
+This scenario, although similar to scenario #2, brings another layer of complexity – how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
+
+### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
+
+In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario.
+
+
+## Technology Review
+
+The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios.
+
+### Device Installation in Windows
+
+A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
+
+When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages.
+
+Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows 10 to specify which of these identifiers to allow or block.
+
+The four types of identifiers are:
+
+- Device Instance ID
+- Device ID
+- Device setup classes
+- ‘Removable Devices’ device type
+
+#### Device Instance ID
+
+A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system. The Plug and Play (PnP) manager assigns a device instance ID to each device node (devnode) in a system's device tree.
+
+#### Device ID
+
+Windows can use each string to match a device to a driver package. The strings range from the specific, matching a single make and model of a device, to the general, possibly applying to an entire class of devices. There are two types of device identification strings: hardware IDs and compatible IDs.
+
+##### Hardware IDs
+
+Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available.
+
+##### Compatible IDs
+
+Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
+
+When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library.
+
+> [!NOTE]
+> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
+
+Some physical devices create one or more logical devices when they are installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
+
+When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you did not allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
+
+#### Device setup classes
+
+Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices are belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
+
+When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail).
+
+For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions.
+
+For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs.
+
+This guide does not depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
+
+The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly refer to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly refer to devices that could be connected to an existing computer/machine:
+
+- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
+- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
+
+#### ‘Removable Device’ Device type
+
+Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it is connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. 
+
+
+### Group Policy Settings for Device Installation
+
+Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
+
+Device Installation section in Group Policy is a set of policies that control which device could or could not be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more details, see Group Policy Object Editor Technical Reference.
+
+The following passages are brief descriptions of the Device Installation policies that are used in this guide.
+
+> [!NOTE]
+> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
+
+#### Allow administrators to override Device Installation Restriction policies
+
+This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or do not configure this policy setting, administrators are subject to all policy settings that restrict device installation.
+
+#### Allow installation of devices that match any of these device IDs
+
+This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
+
+#### Allow installation of devices that match any of these device instance IDs
+
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+#### Allow installation of devices using drivers that match these device setup classes
+
+This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
+
+#### Prevent installation of devices that match these device IDs
+
+This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
+Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.
+
+#### Prevent installation of devices that match any of these device instance IDs
+
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+#### Prevent installation of devices using drivers that match these device setup classes
+
+This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
+Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device.
+
+### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
+
+This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
+
+> **Device instance IDs** > **Device IDs** > **Device setup class** > **Removable devices**
+
+> [!NOTE]
+> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
+>
+> If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+
+Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
+ 			
+![Device Installation policies flow chart](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
+
+
+
+
+## Requirements for completing the scenarios
+
+### General
+
+To complete each of the scenarios, please ensure your have:
+
+- A client computer running Windows 10.
+
+- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
+
+- A USB/network printer pre-installed on the machine.
+
+- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
+
+### Understanding implications of applying ‘Prevent’ policies retroactive
+
+All ‘Prevent’ policies have an option to apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator is not sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
+
+For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
+
+This is a powerful tool, but as such it has to be used carefully.
+
+> [!IMPORTANT]
+> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
+
+## Determine device identification strings
+
+By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device do not match those shown in this guide, use the IDs that are appropriate to your device (this applies to Instance IDs and Classes, but we are not going to give an example for them in this guide).
+
+You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device.
+
+> [!NOTE]
+> These procedures are specific to a Canon printer. If you are using a different type of device, you must adjust the steps accordingly. The significant difference will be the location of the device in the Device Manager hierarchy. Instead of being located in the Printers node, you must locate your device in the appropriate node.
+
+To find device identification strings using Device Manager
+
+1. Make sure your printer is plugged in and installed.
+
+2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
+
+3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
+
+4. Find the “Printers” section and find the target printer
+ 
+    ![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
+
+5. Double-click the printer and move to the ‘Details’ tab.
+
+    ![‘Details’ tab](images/device-installation-dm-printer-details-screen.png)<br/>_Open the ‘Details’ tab to look for the device identifiers_
+
+6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies.
+
+    ![HWID](images/device-installation-dm-printer-hardware-ids.png)
+
+    ![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
+
+    > [!TIP]
+    > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
+
+### Getting device identifiers using PnPUtil
+
+```console
+pnputil /enum-devices /deviceids
+```
+
+Here is an example of an output for a single device on a machine:
+
+```console
+<snip>
+Instance ID:                PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086&REV_02\3&103a9d54&0&81
+Device Description:         Intel(R) Xeon(R) E7 v3/Xeon(R) E5 v3/Core i7 PCIe Ring Interface - 2F34
+Class Name:                 System
+Class GUID:                 {4d36e97d-e325-11ce-bfc1-08002be10318}
+Manufacturer Name:          INTEL
+Status:                     Stopped
+Driver Name:                oem6.inf
+Hardware IDs:               PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086&REV_02
+                            PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086
+                            PCI\VEN_8086&DEV_2F34&CC_110100
+                            PCI\VEN_8086&DEV_2F34&CC_1101
+Compatible IDs:             PCI\VEN_8086&DEV_2F34&REV_02
+                            PCI\VEN_8086&DEV_2F34
+                            PCI\VEN_8086&CC_110100
+                            PCI\VEN_8086&CC_1101
+                            PCI\VEN_8086
+                            PCI\CC_110100
+                            PCI\CC_1101
+<snip>
+```
+
+## Scenario #1: Prevent installation of all printers
+
+In this simple scenario, you will learn how to prevent the installation of an entire Class of devices.
+
+### Setting up the environment
+
+Setting up the environment for the scenario with the following steps:
+
+1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
+
+2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. 
+
+3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters
+
+4. Have a USB/network printer available to test the policy with
+
+### Scenario steps – preventing installation of prohibited devices
+
+Getting the right device identifier to prevent it from being installed:
+
+1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
+
+2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links:
+
+    - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
+    - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
+
+3. Our current scenario is focused on preventing all printers from being installed, as such here is the Class GUID for most of printers in the market: 
+
+    > Printers\
+    > Class = Printer\
+    > ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\
+    > This class includes printers.
+
+> [!NOTE]
+> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
+
+Creating the policy to prevent all printers from being installed:
+
+1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+
+2. Navigate to the Device Installation Restriction page: 
+
+    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
+
+3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled).
+
+4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+
+5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block.
+
+6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+
+    ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
+
+7. Click ‘OK’.
+
+8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+
+9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’
+
+> [!IMPORTANT]
+> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
+
+### Testing the scenario
+
+1. If you have not completed step #9 – follow these steps:
+
+    - Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
+    - For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
+    - You should not be able to reinstall the printer.
+
+2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
+
+## Scenario #2: Prevent installation of a specific printer
+
+This scenario builds upon scenario #1, Prevent installation of all printers. In this scenario, you target a specific printer to prevent from being installed on the machine.
+
+### Setting up the environment
+
+Setting up the environment for the scenario with the following steps:
+
+1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
+
+2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario). Although the policy is disabled in default, it is recommended to be enabled in most practical applications. For scenario #2 it is optional.
+
+### Scenario steps – preventing installation of a specific device
+
+Getting the right device identifier to prevent it from being installed:
+
+1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously
+
+    ![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
+
+2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
+
+Creating the policy to prevent a single printer from being installed:
+
+1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+
+2. Navigate to the Device Installation Restriction page: 
+
+    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
+
+3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+
+4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to block.
+
+5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
+
+    ![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
+
+6. Click ‘OK’.
+
+7. Click ‘Apply’ on the bottom right of the policy’s window. This pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install.
+
+8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’.
+
+###	Testing the scenario
+
+If you completed step #8 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
+
+If you have not completed step #8, follow these steps:
+
+1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
+
+2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
+
+3. You should not be able to reinstall the printer.
+
+
+## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
+
+Now, using the knowledge from both previous scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
+
+### Setting up the environment
+
+Setting up the environment for the scenario with the following steps:
+
+1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
+
+2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’.
+
+3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters.
+
+4. Have a USB/network printer available to test the policy with.
+
+### Scenario steps – preventing installation of an entire class while allowing a specific printer
+
+Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
+
+- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
+- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
+
+First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
+
+1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+
+2. Navigate to the Device Installation Restriction page: 
+
+    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
+
+3. Make sure all policies are disabled
+
+4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+
+5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block.
+
+6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+
+    ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
+
+7. Click ‘OK’.
+
+8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+
+9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’
+
+10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
+
+    ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
+
+    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
+
+9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+
+10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow.
+
+11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
+
+    ![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
+
+12. Click ‘OK’.
+
+13. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and allows the target printer to be installed (or stayed installed).
+
+## Testing the scenario
+
+1. Simply look for your printer under Device Manager or the Windows Settings app and see that it is still there and accessible. Or just print a test document.
+
+2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you should not be bale to print anything or able to access the printer at all.
+
+
+## Scenario #4: Prevent installation of a specific USB device
+
+The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you will gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
+
+### Setting up the environment
+
+Setting up the environment for the scenario with the following steps:
+
+1. Open Group Policy Editor and navigate to the Device Installation Restriction section
+
+2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario) – although the policy is disabled in default, it is recommended to be enabled in most practical applications.
+
+### Scenario steps – preventing installation of a specific device
+
+Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
+
+1. Connect a USB thumb drive to the machine
+
+2. Open Device Manager
+
+3. Find the USB thumb-drive and select it.
+ 
+    ![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
+
+4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
+
+    ![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
+
+    > [!NOTE]
+    > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
+ 
+    ![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
+
+5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
+
+6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
+ 
+    ![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
+
+Creating the policy to prevent a single USB thumb-drive from being installed:
+
+1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+
+2. Navigate to the Device Installation Restriction page: 
+
+    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
+
+3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+
+4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This will take you to a table where you can enter the device identifier to block.
+
+5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
+ 
+    ![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
+
+6. Click ‘OK’.
+
+7. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install.
+
+8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’
+
+
+### Testing the scenario
+
+1. If you have not completed step #8 – follow these steps:
+
+    - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
+    - You should not be able to reinstall the device.
+
+2. If you completed step #8 above and restarted the machine, simply look for your Disk drives under Device Manager and see that it is no-longer available for you to use.
+
+
+## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
+
+Now, using the knowledge from all the previous 4 scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
+
+### Setting up the environment
+
+Setting up the environment for the scenario with the following steps:
+
+1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
+
+2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’.
+
+3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters.
+
+4. Have a USB thumb-drive available to test the policy with.
+
+### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive
+
+Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
+
+- USB Bus Devices (hubs and host controllers)
+  - Class = USB
+  - ClassGuid = {36fc9e60-c465-11cf-8056-444553540000}
+  - This class includes USB host controllers and USB hubs, but not USB peripherals. Drivers for this class are system-supplied.
+
+- USB Device
+  - Class = USBDevice
+  - ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
+  - USBDevice includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs.
+
+- Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
+
+As mentioned in scenario #4, it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one are not blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
+
+- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03
+- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
+- “Generic USB Hub” -> USB\USB20_HUB
+ 
+![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
+
+These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
+
+> [!IMPORTANT]
+> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list:
+> 
+> 	PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
+> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
+> USB\USB20_HUB (for Generic USB Hubs)/
+> 
+> Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. 
+>
+> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done.
+
+First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
+
+1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+
+2. Navigate to the Device Installation Restriction page: 
+
+    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
+
+3. Make sure all policies are disabled
+
+4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+
+5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block.
+
+6. Enter both USB classes GUID you found above with the curly braces:
+
+    > {36fc9e60-c465-11cf-8056-444553540000}/
+    > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} 
+
+7. Click ‘OK’.
+
+8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs.
+
+    > [!IMPORTANT]
+    > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
+
+9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
+
+    ![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
+
+10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+
+11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow.
+
+12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
+
+    ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
+
+13. Click ‘OK’.
+
+14. Click ‘Apply’ on the bottom right of the policy’s window.
+
+15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’.
+
+### Testing the scenario
+
+You should not be able to install any USB thumb-drive, except the one you authorized for usage

windows/client-management/mdm/configuration-service-provider-reference.md

@@ -1270,10 +1270,10 @@ Additional lists:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 </table>
@@ -2156,7 +2156,7 @@ Additional lists:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -85,11 +85,7 @@ You may contact your domain administrators to verify if the group policy has bee
 
 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
 
-9. Verify that Azure AD allows the logon user to enroll devices.
-
-    ![Azure AD device settings](images/auto-enrollment-azure-ad-device-settings.png)
-
-10. Verify that Microsoft Intune should allow enrollment of Windows devices.
+9. Verify that Microsoft Intune should allow enrollment of Windows devices.
 
     ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png)
 

windows/client-management/mdm/federated-authentication-device-enrollment.md

@@ -89,36 +89,37 @@ https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
 The following example shows the discovery service request.
 
 ```xml
-    <?xml version="1.0"?>
-    <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
-       xmlns:s="http://www.w3.org/2003/05/soap-envelope">
-      <s:Header>
-        <a:Action s:mustUnderstand="1">
-          http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
-        </a:Action>
-        <a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
-        <a:ReplyTo>
-          <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
-        </a:ReplyTo>
-        <a:To s:mustUnderstand="1">
-          https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
-        </a:To>
-      </s:Header>
-      <s:Body>
-        <Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
-          <request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
-            <EmailAddress>user@contoso.com</EmailAddress>
-            <OSEdition>3</OSEdition> <!--New -->
-            <RequestVersion>3.0</RequestVersion> <!-- Updated -->
-            <DeviceType>WindowsPhone</DeviceType> <!--Updated -->
-            <ApplicationVersion>10.0.0.0</ApplicationVersion>
-            <AuthPolicies>
-                <AuthPolicy>OnPremise</AuthPolicy>
-                <AuthPolicy>Federated</AuthPolicy>
-            </AuthPolicies>
-          </request>
-        </Discover>
-      </s:Body>
+<?xml version="1.0"?>
+<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
+   xmlns:s="http://www.w3.org/2003/05/soap-envelope">
+  <s:Header>
+	<a:Action s:mustUnderstand="1">
+	  http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
+	</a:Action>
+	<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
+	<a:ReplyTo>
+	  <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+	</a:ReplyTo>
+	<a:To s:mustUnderstand="1">
+	  https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
+	</a:To>
+  </s:Header>
+  <s:Body>
+	<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
+	  <request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+		<EmailAddress>user@contoso.com</EmailAddress>
+		<OSEdition>3</OSEdition> <!--New -->
+		<RequestVersion>3.0</RequestVersion> <!-- Updated -->
+		<DeviceType>WindowsPhone</DeviceType> <!--Updated -->
+		<ApplicationVersion>10.0.0.0</ApplicationVersion>
+		<AuthPolicies>
+			<AuthPolicy>OnPremise</AuthPolicy>
+			<AuthPolicy>Federated</AuthPolicy>
+		</AuthPolicies>
+	  </request>
+	</Discover>
+  </s:Body>
+</s:Envelope>
 ```
 
 The discovery response is in the XML format and includes the following fields:
@@ -151,7 +152,7 @@ The following are the explicit requirements for the server.
 
 The enrollment client issues an HTTPS request as follows:
 
-```
+```http
 AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
 ```
 
@@ -195,37 +196,37 @@ The server has to send a POST to a redirect URL of the form ms-app://string (the
 The following example shows a response received from the discovery web service which requires authentication via WAB.
 
 ```xml
-    <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
-       xmlns:a="http://www.w3.org/2005/08/addressing">
-      <s:Header>
-        <a:Action s:mustUnderstand="1">
-          http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
-        </a:Action>
-        <ActivityId>
-          d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
-        </ActivityId>
-        <a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
-      </s:Header>
-      <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-        <DiscoverResponse
-           xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
-          <DiscoverResult>
-            <AuthPolicy>Federated</AuthPolicy>
-            <EnrollmentVersion>3.0</EnrollmentVersion>
-            <EnrollmentPolicyServiceUrl>
-              https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
-            </EnrollmentPolicyServiceUrl>
-            <EnrollmentServiceUrl>
-              https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
-            </EnrollmentServiceUrl>
-            <AuthenticationServiceUrl>
-              https://portal.manage.contoso.com/LoginRedirect.aspx
-            </AuthenticationServiceUrl>
-          </DiscoverResult>
-        </DiscoverResponse>
-      </s:Body>
-    </s:Envelope>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+   xmlns:a="http://www.w3.org/2005/08/addressing">
+  <s:Header>
+	<a:Action s:mustUnderstand="1">
+	  http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
+	</a:Action>
+	<ActivityId>
+	  d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
+	</ActivityId>
+	<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
+  </s:Header>
+  <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+	<DiscoverResponse
+	   xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
+	  <DiscoverResult>
+		<AuthPolicy>Federated</AuthPolicy>
+		<EnrollmentVersion>3.0</EnrollmentVersion>
+		<EnrollmentPolicyServiceUrl>
+		  https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
+		</EnrollmentPolicyServiceUrl>
+		<EnrollmentServiceUrl>
+		  https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
+		</EnrollmentServiceUrl>
+		<AuthenticationServiceUrl>
+		  https://portal.manage.contoso.com/LoginRedirect.aspx
+		</AuthenticationServiceUrl>
+	  </DiscoverResult>
+	</DiscoverResponse>
+  </s:Body>
+</s:Envelope>
 ```
 
 ## Enrollment policy web service
@@ -234,58 +235,60 @@ Policy service is optional. By default, if no policies are specified, the minimu
 
 This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
 
-For Federated authentication policy, The security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
+For Federated authentication policy, the security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
 
 -   wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element.
 -   wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header.
 
 As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server.
 
-The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element. wsse:BinarySecurityToken/attributes/ValueType: The &lt;wsse:BinarySecurityToken&gt; ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
+The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element. 
 
-wsse:BinarySecurityToken/attributes/EncodingType: The &lt;wsse:BinarySecurityToken&gt; EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary".
+- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
+
+- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary".
 
 The following is an enrollment policy request example with a received security token as client credential.
 
 ```xml
-    <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
-       xmlns:a="http://www.w3.org/2005/08/addressing"
-       xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
-       xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
-       xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
-      <s:Header>
-        <a:Action s:mustUnderstand="1">
-          http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
-        </a:Action>
-        <a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
-        <a:ReplyTo>
-          <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
-        </a:ReplyTo>
-        <a:To s:mustUnderstand="1">
-          https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
-        </a:To>
-        <wsse:Security s:mustUnderstand="1">
-          <wsse:BinarySecurityToken
-             ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
-             EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
-             xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
-          B64EncodedSampleBinarySecurityToken
-          </wsse:BinarySecurityToken>
-        </wsse:Security>
-      </s:Header>
-      <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-        <GetPolicies
-           xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
-          <client>
-            <lastUpdate xsi:nil="true"/>
-            <preferredLanguage xsi:nil="true"/>
-          </client>
-          <requestFilter xsi:nil="true"/>
-        </GetPolicies>
-      </s:Body>
-    </s:Envelope>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+   xmlns:a="http://www.w3.org/2005/08/addressing"
+   xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+   xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
+  <s:Header>
+	<a:Action s:mustUnderstand="1">
+	  http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
+	</a:Action>
+	<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
+	<a:ReplyTo>
+	  <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+	</a:ReplyTo>
+	<a:To s:mustUnderstand="1">
+	  https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
+	</a:To>
+	<wsse:Security s:mustUnderstand="1">
+	  <wsse:BinarySecurityToken
+		 ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
+		 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
+		 xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+	  B64EncodedSampleBinarySecurityToken
+	  </wsse:BinarySecurityToken>
+	</wsse:Security>
+  </s:Header>
+  <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+	<GetPolicies
+	   xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
+	  <client>
+		<lastUpdate xsi:nil="true"/>
+		<preferredLanguage xsi:nil="true"/>
+	  </client>
+	  <requestFilter xsi:nil="true"/>
+	</GetPolicies>
+  </s:Body>
+</s:Envelope>
 ```
 
 After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN.
@@ -298,80 +301,80 @@ MS-XCEP supports very flexible enrollment policies using various Complex Types a
 The following snippet shows the policy web service response.
 
 ```xml
-      <s:Envelope
-         xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-         xmlns:s="http://www.w3.org/2003/05/soap-envelope"
-         xmlns:a="http://www.w3.org/2005/08/addressing">
-        <s:Header>
-          <a:Action s:mustUnderstand="1">
-            http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
-          </a:Action>
-          <a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
-        </s:Header>
-        <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-           xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-          <GetPoliciesResponse
-             xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
-            <response>
-            <policyID />
-              <policyFriendlyName xsi:nil="true"
-                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
-              <nextUpdateHours xsi:nil="true"
-                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
-              <policiesNotChanged xsi:nil="true"
-                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
-              <policies>
-                <policy>
-                  <policyOIDReference>0</policyOIDReference>
-                  <cAs xsi:nil="true" />
-                  <attributes>
-                    <commonName>CEPUnitTest</commonName>
-                    <policySchema>3</policySchema>
-                    <certificateValidity>
-                      <validityPeriodSeconds>1209600</validityPeriodSeconds>
-                      <renewalPeriodSeconds>172800</renewalPeriodSeconds>
-                    </certificateValidity>
-                    <permission>
-                      <enroll>true</enroll>
-                      <autoEnroll>false</autoEnroll>
-                    </permission>
-                    <privateKeyAttributes>
-                      <minimalKeyLength>2048</minimalKeyLength>
-                      <keySpec xsi:nil="true" />
-                      <keyUsageProperty xsi:nil="true" />
-                      <permissions xsi:nil="true" />
-                      <algorithmOIDReference xsi:nil="true" />
-                      <cryptoProviders xsi:nil="true" />
-                    </privateKeyAttributes>
-                    <revision>
-                      <majorRevision>101</majorRevision>
-                      <minorRevision>0</minorRevision>
-                    </revision>
-                    <supersededPolicies xsi:nil="true" />
-                    <privateKeyFlags xsi:nil="true" />
-                    <subjectNameFlags xsi:nil="true" />
-                    <enrollmentFlags xsi:nil="true" />
-                    <generalFlags xsi:nil="true" />
-                    <hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
-                    <rARequirements xsi:nil="true" />
-                    <keyArchivalAttributes xsi:nil="true" />
-                    <extensions xsi:nil="true" />
-                  </attributes>
-                </policy>
-              </policies>
-            </response>
+<s:Envelope
+   xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+   xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+   xmlns:a="http://www.w3.org/2005/08/addressing">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">
+      http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
+    </a:Action>
+    <a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
+  </s:Header>
+  <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+     xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+    <GetPoliciesResponse
+       xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
+      <response>
+      <policyID />
+        <policyFriendlyName xsi:nil="true"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
+        <nextUpdateHours xsi:nil="true"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
+        <policiesNotChanged xsi:nil="true"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
+        <policies>
+          <policy>
+            <policyOIDReference>0</policyOIDReference>
             <cAs xsi:nil="true" />
-            <oIDs>
-              <oID>
-                <value>1.3.14.3.2.29</value>
-                <group>1</group>
-                <oIDReferenceID>0</oIDReferenceID>
-                <defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
-              </oID>
-            </oIDs>
-          </GetPoliciesResponse>
-        </s:Body>
-      </s:Envelope>
+            <attributes>
+              <commonName>CEPUnitTest</commonName>
+              <policySchema>3</policySchema>
+              <certificateValidity>
+                <validityPeriodSeconds>1209600</validityPeriodSeconds>
+                <renewalPeriodSeconds>172800</renewalPeriodSeconds>
+              </certificateValidity>
+              <permission>
+                <enroll>true</enroll>
+                <autoEnroll>false</autoEnroll>
+              </permission>
+              <privateKeyAttributes>
+                <minimalKeyLength>2048</minimalKeyLength>
+                <keySpec xsi:nil="true" />
+                <keyUsageProperty xsi:nil="true" />
+                <permissions xsi:nil="true" />
+                <algorithmOIDReference xsi:nil="true" />
+                <cryptoProviders xsi:nil="true" />
+              </privateKeyAttributes>
+              <revision>
+                <majorRevision>101</majorRevision>
+                <minorRevision>0</minorRevision>
+              </revision>
+              <supersededPolicies xsi:nil="true" />
+              <privateKeyFlags xsi:nil="true" />
+              <subjectNameFlags xsi:nil="true" />
+              <enrollmentFlags xsi:nil="true" />
+              <generalFlags xsi:nil="true" />
+              <hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
+              <rARequirements xsi:nil="true" />
+              <keyArchivalAttributes xsi:nil="true" />
+              <extensions xsi:nil="true" />
+            </attributes>
+          </policy>
+        </policies>
+      </response>
+      <cAs xsi:nil="true" />
+      <oIDs>
+        <oID>
+          <value>1.3.14.3.2.29</value>
+          <group>1</group>
+          <oIDReferenceID>0</oIDReferenceID>
+          <defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
+        </oID>
+      </oIDs>
+    </GetPoliciesResponse>
+  </s:Body>
+</s:Envelope>
 ```
 
 ## Enrollment web service
@@ -380,7 +383,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur
 
 The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
 
-Note that the RequestSecurityToken will use a custom TokenType (http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section.
+Note that the RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section.
 
 The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
 
@@ -390,83 +393,84 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType
 The following example shows the enrollment web service request for federated authentication.
 
 ```xml
-    <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
-       xmlns:a="http://www.w3.org/2005/08/addressing"
-       xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
-       xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
-       xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
-      <s:Header>
-        <a:Action s:mustUnderstand="1">
-          http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
-        </a:Action>
-        <a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
-        <a:ReplyTo>
-          <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
-        </a:ReplyTo>
-        <a:To s:mustUnderstand="1">
-          https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
-        </a:To>
-        <wsse:Security s:mustUnderstand="1">
-          <wsse:BinarySecurityToken
-             wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
-             wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
-          B64EncodedSampleBinarySecurityToken
-          </wsse:BinarySecurityToken>
-        </wsse:Security>
-      </s:Header>
-      <s:Body>
-        <wst:RequestSecurityToken>
-          <wst:TokenType>
-            http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
-          </wst:TokenType>
-          <wst:RequestType>
-            http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
-          </wst:RequestType>
-          <wsse:BinarySecurityToken
-             ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
-             EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
-            DER format PKCS#10 certificate request in Base64 encoding Insterted Here
-          </wsse:BinarySecurityToken>
-          <ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
-               <ac:ContextItem Name="OSEdition">
-                   <ac:Value> 4</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="OSVersion">
-                   <ac:Value>10.0.9999.0</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="DeviceName">
-                   <ac:Value>MY_WINDOWS_DEVICE</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="MAC">
-                   <ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="MAC">
-                   <ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
-                <ac:ContextItem Name="IMEI">
-                   <ac:Value>49015420323756</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="IMEI">
-                   <ac:Value>30215420323756</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="EnrollmentType">
-                   <ac:Value>Full</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="DeviceType">
-                   <ac:Value>CIMClient_Windows</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="ApplicationVersion">
-                   <ac:Value>10.0.9999.0</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="DeviceID">
-                   <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
-                </ac:ContextItem>
-                <ac:ContextItem Name="TargetedUserLoggedIn">
-                   <ac:Value>True</ac:Value>
-                </ac:ContextItem>
-             </ac:AdditionalContext>
-        </wst:RequestSecurityToken>
-      </s:Body>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+   xmlns:a="http://www.w3.org/2005/08/addressing"
+   xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+   xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">
+      http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
+    </a:Action>
+    <a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <a:To s:mustUnderstand="1">
+      https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
+    </a:To>
+    <wsse:Security s:mustUnderstand="1">
+      <wsse:BinarySecurityToken
+         wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
+         wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
+      B64EncodedSampleBinarySecurityToken
+      </wsse:BinarySecurityToken>
+    </wsse:Security>
+  </s:Header>
+  <s:Body>
+    <wst:RequestSecurityToken>
+      <wst:TokenType>
+        http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
+      </wst:TokenType>
+      <wst:RequestType>
+        http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
+      </wst:RequestType>
+      <wsse:BinarySecurityToken
+         ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
+         EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
+        DER format PKCS#10 certificate request in Base64 encoding Insterted Here
+      </wsse:BinarySecurityToken>
+      <ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
+           <ac:ContextItem Name="OSEdition">
+               <ac:Value> 4</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="OSVersion">
+               <ac:Value>10.0.9999.0</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="DeviceName">
+               <ac:Value>MY_WINDOWS_DEVICE</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="MAC">
+               <ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="MAC">
+               <ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
+            <ac:ContextItem Name="IMEI">
+               <ac:Value>49015420323756</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="IMEI">
+               <ac:Value>30215420323756</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="EnrollmentType">
+               <ac:Value>Full</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="DeviceType">
+               <ac:Value>CIMClient_Windows</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="ApplicationVersion">
+               <ac:Value>10.0.9999.0</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="DeviceID">
+               <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
+            </ac:ContextItem>
+            <ac:ContextItem Name="TargetedUserLoggedIn">
+               <ac:Value>True</ac:Value>
+            </ac:ContextItem>
+         </ac:AdditionalContext>
+    </wst:RequestSecurityToken>
+  </s:Body>
+</s:Envelope>
 ```
 
 After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
@@ -492,43 +496,43 @@ Here is a sample RSTR message and a sample of OMA client provisioning XML within
 The following example shows the enrollment web service response.
 
 ```xml
-    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
-       xmlns:a="http://www.w3.org/2005/08/addressing" 
-       xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
-       <s:Header>
-          <a:Action s:mustUnderstand="1" >
-             http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
-          </a:Action>
-          <a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
-          <o:Security s:mustUnderstand="1" xmlns:o=
-             "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
-             <u:Timestamp u:Id="_0">
-                <u:Created>2012-08-02T00:32:59.420Z</u:Created>
-                <u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
-             </u:Timestamp>
-          </o:Security>
-       </s:Header>
-       <s:Body>
-          <RequestSecurityTokenResponseCollection 
-             xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
-             <RequestSecurityTokenResponse>
-                <TokenType>
-                    http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
-                </TokenType>
-                 <DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
-                 <RequestedSecurityToken>
-                   <BinarySecurityToken 
-                      ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
-                      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
-                      xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
-                      B64EncodedSampleBinarySecurityToken
-                   </BinarySecurityToken>
-                </RequestedSecurityToken>
-                <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
-             </RequestSecurityTokenResponse>
-          </RequestSecurityTokenResponseCollection>
-       </s:Body>
-    </s:Envelope>
+<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
+   xmlns:a="http://www.w3.org/2005/08/addressing" 
+   xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+   <s:Header>
+      <a:Action s:mustUnderstand="1" >
+         http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
+      </a:Action>
+      <a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
+      <o:Security s:mustUnderstand="1" xmlns:o=
+         "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+         <u:Timestamp u:Id="_0">
+            <u:Created>2012-08-02T00:32:59.420Z</u:Created>
+            <u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
+         </u:Timestamp>
+      </o:Security>
+   </s:Header>
+   <s:Body>
+      <RequestSecurityTokenResponseCollection 
+         xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+         <RequestSecurityTokenResponse>
+            <TokenType>
+                http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
+            </TokenType>
+             <DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
+             <RequestedSecurityToken>
+               <BinarySecurityToken 
+                  ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
+                  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
+                  xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+                  B64EncodedSampleBinarySecurityToken
+               </BinarySecurityToken>
+            </RequestedSecurityToken>
+            <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
+         </RequestSecurityTokenResponse>
+      </RequestSecurityTokenResponseCollection>
+   </s:Body>
+</s:Envelope>
 ```
 
 The following code shows sample provisioning XML (presented in the preceding package as a security token):
@@ -610,11 +614,16 @@ The following code shows sample provisioning XML (presented in the preceding pac
 </wap-provisioningdoc>
 ```
 
-**Notes**
-
--   &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
--   In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
--   Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
--   The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
--   Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
--   CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
+> [!NOTE]
+> 
+> -   &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
+> 
+> -   In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
+> 
+> -   Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
+> 
+> -   The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
+> 
+> -   Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
+> 
+> -   CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -7076,6 +7076,18 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### NetworkListManager policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-networklistmanager.md#networklistmanager-allowedtlsauthenticationendpoints" id="networklistmanager-allowedtlsauthenticationendpoints">NetworkListManager/AllowedTlsAuthenticationEndpoints</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networklistmanager.md#networklistmanager-configuredtlsauthenticationnetworkname" id="networklistmanager-configuredtlsauthenticationnetworkname">NetworkListManager/ConfiguredTLSAuthenticationNetworkName</a>
+  </dd>
+  <dd>
+</dl>
+
 ### Notifications policies
 
 <dl>

windows/client-management/mdm/policy-csp-experience.md

@@ -73,6 +73,9 @@ manager: dansimp
   <dd>
     <a href="#experience-allowwindowstips">Experience/AllowWindowsTips</a>
   </dd>
+  <dd>
+    <a href="#experience-configurechaticonvisibilityonthetaskbar">Experience/ConfigureChatIcon</a>
+  </dd>
   <dd>
     <a href="#experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a>
   </dd>
@@ -499,7 +502,7 @@ The values for this policy are 1 and 0. This policy defaults to 1.
 
 <hr/>
 <!--Policy-->
-<a href="" id="experience-allowsaveasofofficefiles"></a>**Experience/AllowSaveAsOfOfficeFiles**  
+<a href="" id="experience-allowsaveasofofficefiles"></a><b>Experience/AllowSaveAsOfOfficeFiles</b>
 
 <hr/>
 
@@ -1150,6 +1153,64 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="experience-configurechaticonvisibilityonthetaskbar"></a>**Experience/ConfigureChatIcon**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+<hr/>
+<!--/Scope-->
+<!--Description-->
+This policy setting allows you to configure the Chat icon on the taskbar.
+
+<!--/Description-->
+<!--SupportedValues-->
+The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not enabled.
+
+-   0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition.
+-   1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings.
+-   2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
+-   3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**  
 

windows/client-management/mdm/policy-csp-networklistmanager.md

@@ -0,0 +1,135 @@
+---
+title: Policy CSP - NetworkListManager
+description: The Policy CSP - NetworkListManager setting creates a new MDM policy that allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
+ms.author: v-nsatapathy
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.localizationpriority: medium
+ms.date: 7/10/2021
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - NetworkListManager
+
+
+<hr/>
+
+<!--Policies-->
+## NetworkListManager policies  
+
+<dl>
+  <dd>
+    <a href="#networklistmanager-allowedtlsauthenticationendpoints">NetworkListManager/AllowedTlsAuthenticationEndpoints</a>
+  </dd>
+  <dd>
+    <a href="#networklistmanager-configuredtlsauthenticationnetworkname">NetworkListManager/ConfiguredTLSAuthenticationNetworkName</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="networklistmanager-allowedtlsauthenticationendpoints"></a>**NetworkListManager/AllowedTlsAuthenticationEndpoints**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
+
+<hr/>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="networklistmanager-configuredtlsauthenticationnetworkname"></a>**NetworkListManager/ConfiguredTLSAuthenticationNetworkName**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy.
+
+<hr/>
+
+<!--/Policies-->
+

windows/client-management/mdm/toc.yml

@@ -725,6 +725,8 @@ items:
               href: policy-csp-multitasking.md
             - name: NetworkIsolation
               href: policy-csp-networkisolation.md
+            - name: NetworkListManager
+              href: policy-csp-networklistmanager.md
             - name: Notifications
               href: policy-csp-notifications.md
             - name: Power

windows/client-management/toc.yml

@@ -18,6 +18,8 @@ items:
           href: change-default-removal-policy-external-storage-media.md
         - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education
           href: group-policies-for-enterprise-and-education-editions.md
+        - name: Manage Device Installation with Group Policy
+          href: manage-device-installation-with-group-policy.md
         - name: Manage the Settings app with Group Policy
           href: manage-settings-app-with-group-policy.md
         - name: What version of Windows am I running

windows/deployment/TOC.yml

@@ -11,6 +11,8 @@
           href: update/waas-quick-start.md
         - name: Windows update fundamentals
           href: update/waas-overview.md
+        - name: Monthly quality updates
+          href: update/quality-updates.md
         - name: Basics of Windows updates, channels, and tools
           href: update/get-started-updates-channels-tools.md
         - name: Servicing the Windows 10 operating system

windows/deployment/deploy-whats-new.md

@@ -35,12 +35,12 @@ Check out the following new articles about Windows 11:
 - [Plan for Windows 11](/windows/whats-new/windows-11-plan)
 - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
 
+The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.<br>
+
 [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.<br>
-The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.<br>
 New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
 VPN support is added to [Windows Autopilot](#windows-autopilot)<br>
 An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).<br>
-The [Windows ADK](#windows-assessment-and-deployment-kit-adk) for Windows 10, version 2004 is available.<br>
 The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with additional content added and more content coming soon.<br>
 
 ## The Modern Desktop Deployment Center
@@ -186,9 +186,9 @@ For the latest information about MDT, see the [MDT release notes](/mem/configmgr
 
 The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
 
-Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](/windows-hardware/get-started/adk-install).
+Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
 
-For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
+For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
 
 Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 

windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md

@@ -140,4 +140,4 @@ In-place upgrade with Configuration Manager
 ## Related topics
 
 [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
-[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
+[Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog)

windows/deployment/update/quality-updates.md

@@ -0,0 +1,77 @@
+---
+title: Monthly quality updates (Windows 10/11)
+description: Learn about Windows monthly quality updates to stay productive and protected.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greglin
+ms.reviewer: 
+manager: laurawi
+ms.topic: article
+---
+
+# Monthly quality updates
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+Windows monthly quality updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Quality updates are cumulative; they include all previously released fixes to guard against fragmentation of the operating system (OS). Reliability and vulnerability issues can occur when only a subset of fixes is installed.   
+
+This article provides details on the types of monthly quality updates that Microsoft provides, and how they help make the overall user experience simple and consistent. 
+
+## Quality updates
+
+Quality updates are provided on a monthly schedule, as two types of releases: 
+
+1. Non-security releases
+2. Combined security + non-security releases
+
+Non-security releases provide IT admins an opportunity for early validation of that content prior to the combined release. Releases can also be provided outside of the monthly schedule when there is an exceptional need. 
+
+### B releases
+
+Most people are familiar with what is commonly referred to as **Patch Tuesday** or **Update Tuesday**. These updates are released on the second Tuesday of each month, and are known as the **B release** (where “**B**” refers to the second week in the month). B releases are typically published at 10:00 AM Pacific Time (PST/PDT).  
+
+Because they are cumulative, B releases include both new and previously released security fixes, along with non-security content introduced in the prior month’s **Preview C release** (see the next section). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. B releases are mandatory. 
+
+Channels for availability of B releases include: Windows Update, Windows Server Update Services (WSUS), and the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). 
+
+### C releases
+
+IT admins have the option to test and validate production-quality releases ahead of the planned B release for the following month. These updates are optional, cumulative, non-security preview releases known as **C releases**. These releases are only offered to the most recent, supported versions of Windows. For example, new features like [News and Interests](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/group-configuration-news-and-interests-on-the-windows-taskbar/ba-p/2281005) might initially be deployed in the prior month’s C preview release, then ship in the following month’s B release. 
+
+For customers to access the C releases, they must navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.  
+
+IT admins can also validate fixes and features in a preview update by leveraging the [Windows Insider Program for Business](https://insider.windows.com/for-business) or via the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). 
+
+### OOB releases
+
+Out-of-band (OOB) releases might be provided to fix a recently identified issue or vulnerability. They are used in atypical cases when an issue is detected and cannot wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. 
+
+Some key considerations about OOB releases include: 
+
+- OOB releases are always cumulative, and they supersede any prior B or C release. 
+- The OOB releases will generally require IT admins to deploy off-cycle.  
+- Some OOB releases are classified as critical and will automatically be pushed to Windows Server Update Services and Windows Update for Business, just like the B releases.  
+- Some OOB releases are non-critical and only go to the Microsoft Update Catalog for users or organizations to voluntarily seek out the update. 
+
+## More information
+
+For additional details about the different types of Windows updates like critical, security, drivers, service packs, and more, please see the [Description of the standard terminology used to describe Microsoft software updates](https://support.microsoft.com/help/824684) and [Introducing a new deployment service for driver and firmware updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-a-new-deployment-service-for-driver-and-firmware/ba-p/2176942). 
+
+## Related topics
+
+- [Overview of Windows as a service](waas-overview.md)
+- [Update Windows 10 in the enterprise](index.md)
+- [Quick guide to Windows as a service](waas-quick-start.md) 
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)

windows/deployment/upgrade/setupdiag.md

@@ -49,7 +49,7 @@ When run by Windows Setup, the following [parameters](#parameters) are used:
 - /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml
 - /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results
 
-The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**.
+The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**.  Please note that this is not the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the /RegPath parameter is not specificed, data is stored in the registry at HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag.
 
 > [!IMPORTANT]
 > When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one.

windows/deployment/usmt/usmt-overview.md

@@ -15,39 +15,35 @@ ms.topic: article
 ---
 
 # User State Migration Tool (USMT) Overview
+
 You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
 
 USMT enables you to do the following:
 
 -   Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
-
 -   Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
-
 -   Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
 
 ## Benefits
+
 USMT provides the following benefits to businesses that are deploying Windows operating systems:
 
 -   Safely migrates user accounts, operating system and application settings.
-
 -   Lowers the cost of deploying Windows by preserving user state.
-
 -   Reduces end-user downtime required to customize desktops and find missing files.
-
 -   Reduces help-desk calls.
-
 -   Reduces the time needed for the user to become familiar with the new operating system.
-
 -   Increases employee satisfaction with the migration experience.
 
 ## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
+
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover is not a free utility. PCmover Express is a tool created by Microsoft's partner, Laplink.
 
 There are some scenarios in which the use of USMT is not recommended. These include:
 
 -   Migrations that require end-user interaction.
-
 -   Migrations that require customization on a machine-by-machine basis.
 
 ## Related topics
+
 - [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)

windows/deployment/windows-10-subscription-activation.md

@@ -57,7 +57,7 @@ Inherited Activation is a new feature available in Windows 10, version 1803 that
 
 When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM.
 
-To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later.
+To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V.
 
 ## The evolution of deployment
 

windows/privacy/changes-to-windows-diagnostic-data-collection.md

@@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
 
 ## Behavioral changes
 
-In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 10 device to limit crash dumps and logs](#configure-a-windows-10-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
+In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
 
 Additionally, you will see the following policy changes in an upcoming release of Windows 10:
 
@@ -72,7 +72,7 @@ A final set of changes includes two new policies that can help you fine-tune dia
 >[!Important]
 >All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
 
-## Configure a Windows 10 device to limit crash dumps and logs
+## Configure a Windows 11 device to limit crash dumps and logs
 
 With the Enhanced diagnostic data level being split out into new policies, we're providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them:
 

windows/security/identity-protection/access-control/security-identifiers.md

@@ -188,91 +188,108 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 
 | SID | Display Name | Description |
 | - | - | - |
-| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.| 
+| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.|
 | S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.|
 | S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
 | S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
-| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| 
-| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| 
-| S-1-5-5- *X*-*Y* | Logon Session| The  *X* and  *Y* values for these SIDs uniquely identify a particular logon session.| 
+| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
+| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
+| S-1-5-5- *X*-*Y* | Logon Session| The  *X* and  *Y* values for these SIDs uniquely identify a particular logon session.|
 | S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
-| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.<br/>The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| 
-| S-1-5-8| Proxy| Does not currently apply: this SID is not used.| 
+| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.<br/>The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
+| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
 | S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
-| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| 
+| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
 | S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.<br/>This group includes authenticated security principals from any trusted domain, not only the current domain.|
-| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.| 
-| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| 
-| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| 
-| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| 
-| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.| 
-| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.<br/>System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.<br/>When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| 
-| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| 
-| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| 
-| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.<br/>The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.<br/>By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.| 
-| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.<br/>By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.<br/>Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.| 
-| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.| 
-| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.<br/>Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.| 
-| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.| 
-| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.| 
-| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.| 
-| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.| 
-| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.<br/>Cert Publishers are authorized to publish certificates for User objects in Active Directory.| 
-| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.| 
+| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.|
+| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
+| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
+| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
+| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
+| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.<br/>System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.<br/>When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
+| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
+| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
+| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.<br/>The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.<br/>By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.|
+| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.<br/>By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.<br/>Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.|
+| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.|
+| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.<br/>Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.|
+| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.|
+| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.|
+| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.|
+| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.|
+| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.<br/>Cert Publishers are authorized to publish certificates for User objects in Active Directory.|
+| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.|
 | S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.<br/>The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.<br/>By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
-| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.<br/>Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| 
-| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.<br/>Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| 
-| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| 
-| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| 
-| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| 
+| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.<br/>Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
+| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.<br/>Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
+| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
+| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
+| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
 | S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
-| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| 
-| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.| 
-| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.| 
-| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. 
+| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|
+| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.|
+| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.|
+| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.|
 | S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.|
-| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client| 
-| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.| 
-| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.| 
-| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| 
-| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| 
-| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | 
-| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.| 
-| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.| 
-| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.| 
-| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.| 
-| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.| 
-| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.| 
-| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.| 
-| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.| 
+|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.|
+|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.|
+|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.|
+|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.|
+|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.|
+|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.|
+|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
+|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
+|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
+|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
+|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
+|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
+|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.|
+|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.|
+|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.|
+|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.|
+|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.|
+|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.|
+| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client|
+| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.|
+| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.|
+| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
+| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
+| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
+| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.|
+| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.|
+| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.|
+| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.|
+| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.|
+| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.|
+| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.|
+| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.|
 
 The following RIDs are relative to each domain.
 
-| RID | Identifies |
-| - | - |
-| DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. |
-| DOMAIN_USER_RID_GUEST| The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.| 
-| DOMAIN_GROUP_RID_USERS | A group that contains all user accounts in a domain. All users are automatically added to this group.| 
-| DOMAIN_GROUP_RID_GUESTS | The group Guest account in a domain.| 
-| DOMAIN_GROUP_RID_COMPUTERS | The Domain Computer group. All computers in the domain are members of this group.| 
-| DOMAIN_GROUP_RID_CONTROLLERS | The Domain Controller group. All domain controllers in the domain are members of this group.| 
-| DOMAIN_GROUP_RID_CERT_ADMINS | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.| 
-| DOMAIN_GROUP_RID_SCHEMA_ADMINS | The schema administrators' group. Members of this group can modify the Active Directory schema.| 
-| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.| 
-| DOMAIN_GROUP_RID_POLICY_ADMINS| The policy administrators' group.| 
+| RID |Decimal value| Identifies |
+| - | - | - |
+| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. |
+| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.|
+| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.|
+| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.|
+| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.|
+| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.|
+| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.|
+| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.|
+| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.|
+| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.|
 
 The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
 
-
-| RID | Identifies |
-| - | - |
-| DOMAIN_ALIAS_RID_ADMINS | Administrators of the domain.| 
-| DOMAIN_ALIAS_RID_USERS | All users in the domain.| 
-| DOMAIN_ALIAS_RID_GUESTS | Guests of the domain.| 
-| DOMAIN_ALIAS_RID_POWER_USERS | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.| 
-| DOMAIN_ALIAS_RID_BACKUP_OPS | A local group that is used to control the assignment of file backup-and-restore user rights.| 
-| DOMAIN_ALIAS_RID_REPLICATOR | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.| 
-| DOMAIN_ALIAS_RID_RAS_SERVERS | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.| 
+| RID | Decimal value | Identifies |
+| - | - | - |
+| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.|
+| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.|
+| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.|
+| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.|
+| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.|
+| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.|
+| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.|
 
 ## Changes in security identifier's functionality
 
@@ -290,6 +307,7 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi
 All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
 
 ## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
+
 You may see the following registry keys under AllCachedCapabilities:
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock

windows/security/information-protection/encrypted-hard-drive.md

@@ -17,6 +17,7 @@ ms.date: 04/02/2019
 
 **Applies to**
 - Windows 10
+- Windows Server 2022
 - Windows Server 2019
 - Windows Server 2016
 
@@ -81,7 +82,7 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same
 
 ## Configuring hardware-based encryption with Group Policy
 
-There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
+There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
 
 - [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd)  
 - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
@@ -107,4 +108,4 @@ Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguratio
 1.  Open Disk Management (diskmgmt.msc)
 2.  Initialize the disk and select the appropriate partition style (MBR or GPT)
 3.  Create one or more volumes on the disk.
-4.  Use the BitLocker setup wizard to enable BitLocker on the volume.
+4.  Use the BitLocker setup wizard to enable BitLocker on the volume.

windows/security/information-protection/tpm/trusted-platform-module-overview.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: high
 author: dansimp
 ms.author: dansimp
 manager: dansimp
@@ -96,4 +96,4 @@ Some things that you can check on the device are:
 - [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
 - [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
 - [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
-- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
+- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml

@@ -9,7 +9,7 @@ metadata:
   ms.localizationpriority: medium
   author: denisebmsft
   ms.author: deniseb
-  ms.date: 06/16/2021
+  ms.date: 07/23/2021
   ms.reviewer:
   manager: dansimp
   ms.custom: asr
@@ -47,33 +47,6 @@ sections:
          - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
          - It must be a FQDN. A simple IP address will not work.
          - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
-
-      - question: |
-          Can employees download documents from the Application Guard Edge session onto host devices?
-        answer: |
-          In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
-          
-          In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
-          
-      - question: |
-          Can employees copy and paste between the host device and the Application Guard Edge session?
-        answer: |
-          Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
-
-      - question: |
-          Why don't employees see their favorites in the Application Guard Edge session?
-        answer: |
-          Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard).
-          
-      - question: |
-          Why aren’t employees able to see their extensions in the Application Guard Edge session?
-        answer: |
-          Make sure to enable the extensions policy on your Application Guard configuration.
-
-      - question: |
-          I’m trying to watch playback video with HDR, why is the HDR option missing?
-        answer: |
-          In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard.
         
       - question: |
           How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?

windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md

@@ -1,5 +1,5 @@
 ---
-title: Configure authorized apps deployed with a WDAC managed installer (Windows 10)
+title: Configure authorized apps deployed with a WDAC-managed installer (Windows 10)
 description: Explains how to configure a custom Manged Installer.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 08/14/2020
+ms.date: 07/15/2021
 ms.technology: mde
 ---
 
@@ -25,30 +25,30 @@ ms.technology: mde
 - Windows 10
 - Windows Server 2019
 
-Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
+Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
 
 ## How does a managed installer work?
 
-A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
+A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these trusted binaries runs, Windows will monitor the binary's process (and processes it launches), and then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
 
-Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
+Having defined your managed installers by using AppLocker, you can then configure WDAC to trust files that are installed by a managed installer. You do so by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
 
-You should ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
+Ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
 
 ## Security considerations with managed installer
 
 Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
-It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
+It's best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
 
 Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
 
-If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
 
-Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation.
+Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. Extension of the installer's authorization could result in unintentional authorization of an executable. To avoid that outcome, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
 
 ## Known limitations with managed installer
 
-- Application control, based on managed installer, does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information, and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+- Application control, based on managed installer, doesn't support applications that self-update. If an application that was deployed by a managed installer later updates itself, the updated application files won't include the origin information from the managed installer, and they might not be able to run. When you rely on managed installers, you must deploy and install all application updates by using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
 
 - [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
 
@@ -71,7 +71,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
 
 ### Create Managed Installer rule collection
 
-Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the simple changes needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
+Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
 
 1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
 
@@ -117,7 +117,7 @@ An example of a valid Managed Installer rule collection using Microsoft Endpoint
 ### Enable service enforcement in AppLocker policy
 
 Since many installation processes rely on services, it is typically necessary to enable tracking of services.
-Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit only rule will suffice. This can be added to the policy created above, which specifies your managed installer rule collection.
+Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. The audit rule can be added to the policy created above, which specifies the rule collection of your managed installer.
 
 For example:
 
@@ -159,13 +159,13 @@ For example:
 In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy.
 This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
 
-Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option.
+Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option.
 
 1. Copy the DefaultWindows_Audit policy into your working folder from "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml"
 
-2. Reset the policy ID to ensure it is in multiple policy format, and give it a different GUID from the example policies. Also, give it a friendly name to help with identification.
+2. Reset the policy ID to ensure that it is in multiple-policy format, and give it a different GUID from the example policies. Also, give it a friendly name to help with identification.
 
-   For example:
+    For example:
 
     ```powershell
     Set-CIPolicyIdInfo -FilePath <XML filepath> -PolicyName "<friendly name>" -ResetPolicyID
@@ -189,6 +189,28 @@ appidtel.exe start [-mionly]
 
 Specify "-mionly" if you will not use the Intelligent Security Graph (ISG).
 
+## Using fsutil to query SmartLocker EA
+Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
+
+#### Example:
+```powershell
+fsutil file queryEA C:\Users\Temp\Downloads\application.exe
+
+Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
+
+Ea Buffer Offset: 410
+Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
+Ea Value Length: 7e
+0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
+0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
+0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
+0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
+0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
+0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
+0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
+0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
+```
+
 ## Enabling managed installer logging events
 
-Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
+Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.

windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 11/13/2020
+ms.date: 07/19/2021
 ms.technology: mde
 ---
 
@@ -25,7 +25,7 @@ ms.technology: mde
 - Windows 10 version 1903 and above
 - Windows Server 2022 and above
 
-Prior to Windows 10 1903, WDAC only supported a single active on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
+Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
 
 1. Enforce and Audit Side-by-Side
     - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md

@@ -10,7 +10,7 @@ ms.reviewer: jogeurte
 ms.author: jogeurte
 ms.manager: jsuther
 manager: dansimp
-ms.date: 04/14/2021
+ms.date: 07/19/2021
 ms.technology: mde
 ms.topic: article
 ms.localizationpriority: medium
@@ -41,4 +41,4 @@ For more information on using MEMCM's native WDAC policies, see [Windows Defende
 
 ## Deploy custom WDAC policies using Packages/Programs or Task Sequences
 
-Using MEMCM's built-in policies can be a helpful starting point, but customers may find the available circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
+Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.

windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 8/27/2020
+ms.date: 07/13/2021
 ms.technology: mde
 ---
 
@@ -120,3 +120,7 @@ The rule means trust anything signed by a certificate that chains to this root C
 | 19 | Microsoft ECC Devices Root CA 2017 |
 
 For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
+
+## Status values
+
+Represents values that are used to communicate system information. They are of four types: success values, information values, warning values, and error values. Click on the [NTSATUS](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55) link for information about common usage details.

windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 07/12/2021
+ms.date: 07/15/2021
 ms.technology: mde
 ---
 
@@ -27,14 +27,6 @@ ms.technology: mde
 
 Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
 
-## Getting started with cmdlets
-
-Some of the [SKUs](feature-availability.md) that support our PowerShell cmdlets [(ConfigCI Module)](/powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. 
-
-### Steps to install the module
-- Install-Module "ConfigCI"
-- Import-Module "ConfigCI"
-
 ## Windows Defender Application Control policy rules
 
 To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
@@ -49,46 +41,35 @@ To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleO
 
     `Set-RuleOption -FilePath <Path to policy XML> -Option 0 -Delete`
 
-You can set several rule options within a WDAC policy. Table 1 describes each rule option.
+You can set several rule options within a WDAC policy. Table 1 describes each rule option and whether they have supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
 
 > [!NOTE]
 > We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
 
 ### Table 1. Windows Defender Application Control policy - policy rule options
 
-| Rule option | Description |
-|------------ | ----------- |
-| **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
-| **1 Enabled:Boot Menu Protection** | This option is not currently supported. |
-| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. |
-| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. |
-| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This option would be used by organizations that only want to run released binaries, not pre-release Windows builds. |
-| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. |
-| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and the certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. |
-| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
-| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
-| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
-| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. |
-| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
-| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) |
-| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
-| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
-| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
-| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. |
-| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
-
-The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not  supported.
-
-| Rule option | Description |
-|------------ | ----------- |
-| 5 | Enabled: Inherit Default Policy |
-| **6** | **Enabled: Unsigned System Integrity Policy** |
-| 7 | Allowed: Debug Policy Augmented |
-| **13** | **Enabled: Managed Installer** |
-| **14** | **Enabled: Intelligent Security Graph Authorization** |
-| **18** | **Disabled: Runtime FilePath Rule Protection** |
+| Rule option | Description | Valid supplemental option |
+|------------ | ----------- | ----------- |
+| **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | No |
+| **1 Enabled:Boot Menu Protection** | This option is not currently supported. | No |
+| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No |
+| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
+| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This option would be used by organizations that only want to run released binaries, not pre-release Windows builds. | No |
+| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
+| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and the certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes |
+| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | Yes |
+| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | No |
+| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
+| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | No |
+| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
+| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
+| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
+| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.| No |
+| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
+| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
 
 ## Windows Defender Application Control file rule levels
 

windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 03/10/2020
+ms.date: 07/15/2021
 ms.technology: mde
 ---
 
@@ -53,7 +53,7 @@ Setting up the ISG is easy using any management solution you wish. Configuring t
 
 To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also enable the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option is not recommended for devices that don't have regular access to the internet. The following example shows both options being set.
 
-```code
+```xml
 <Rules> 
     <Rule> 
       <Option>Enabled:Unsigned System Integrity Policy</Option> 
@@ -83,7 +83,7 @@ To allow apps and binaries based on the Microsoft Intelligent Security Graph, th
 
 In order for the heuristics used by the ISG to function properly, a number of components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`.
 
-```
+```console
 appidtel start
 ```
 
@@ -95,6 +95,29 @@ Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, i
 
 Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. Also, since the ISG option passes along reputation from application installers to the binaries they write to disk, it can over-authorize files in some cases where the installer launches the application upon completion.
 
+## Using fsutil to query SmartLocker EA
+Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
+
+#### Example
+
+```console
+fsutil file queryEA C:\Users\Temp\Downloads\application.exe
+
+Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
+
+Ea Buffer Offset: 410
+Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
+Ea Value Length: 7e
+0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
+0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
+0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
+0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
+0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
+0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
+0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
+0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
+```
+
 ## Known limitations with using the Intelligent Security Graph
 
 Since the ISG only allows binaries that are known good, there are cases where legitimate software may be unknown to the ISG and will be blocked by WDAC. In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, as well as self-updating applications, may exhibit this symptom.

windows/whats-new/ltsc/whats-new-windows-10-2015.md

@@ -194,7 +194,7 @@ Some things that you can check on the device are:
 
 User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
 
-You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
 
 For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
 
@@ -291,7 +291,7 @@ For more information about updating Windows 10, see [Windows 10 servicing optio
 
 ## Microsoft Edge
 
-Microsoft Edge is not available in the LTSC release of Windows 10.
+The new chromium-based Microsoft Edge is not included in the LTSC release of Windows 10.  However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
 
 ## See Also
 

windows/whats-new/ltsc/whats-new-windows-10-2016.md

@@ -69,7 +69,7 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
 
 ### Windows Hello for Business
 
-When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
 
 Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
 
@@ -173,6 +173,10 @@ With the release of this version of Windows 10, UE-V is included with the Window
 
 [Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
 
+## Microsoft Edge
+
+The new chromium-based Microsoft Edge is not included in the LTSC release of Windows 10.  However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
+
 ## See Also
 
 [Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.

windows/whats-new/ltsc/whats-new-windows-10-2019.md

@@ -450,7 +450,9 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
 
 ### Kiosk configuration
 
-Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
+The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10.  You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download).
+
+Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
 
 If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. 
 

windows/whats-new/windows-11-prepare.md

@@ -94,6 +94,8 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp
 
 If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade.
 
+[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) does not support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview).
+
 ## Prepare a pilot deployment
 
 A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.  

windows/whats-new/windows-11-requirements.md

@@ -6,7 +6,7 @@ manager: laurawi
 ms.audience: itpro
 author: greg-lindsay
 ms.author: greglin
-ms.prod: w10
+ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: medium

windows/whats-new/windows-11.md

@@ -1,13 +1,12 @@
 ---
 title: Windows 11 overview
 description: Overview of Windows 11
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
 ms.reviewer: 
 manager: laurawi
 ms.audience: itpro
 author: greg-lindsay
 ms.author: greglin
-ms.prod: w10
+ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: medium
@@ -83,4 +82,8 @@ When Windows 11 reaches general availability, important servicing-related announ
 
 [Windows 11 requirements](windows-11-requirements.md)<br>
 [Plan for Windows 11](windows-11-plan.md)<br>
-[Prepare for Windows 11](windows-11-prepare.md)
+[Prepare for Windows 11](windows-11-prepare.md)
+
+## Also see
+
+[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)<br>