diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index cb9cf7f8cc..6a152ee447 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -12758,6 +12758,15 @@
     {
       "source_path": "windows/deployment/planning/windows-to-go-frequently-asked-questions.yml",
       "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools",
+    },
+    {
+      "source_path": "windows/deployment/upgrade/windows-10-edition-upgrades.md",
+      "redirect_url": "/windows/deployment/upgrade/windows-edition-upgrades",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/windows-10-media.md",
+      "redirect_url": "/licensing/",
       "redirect_document_id": false
     }
   ]
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index ef83e85701..c62ca17200 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -48,7 +48,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "externalReference": [],
diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
index 23a57d2206..211570e4b0 100644
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@@ -1,24 +1,3 @@
-items:
-- name: Docs
-  tocHref: /
-  topicHref: /
-  items:
-    - name: Microsoft Education
-      tocHref: /education/
-      topicHref: /education/index
-      items:
-      - name: Get started
-        tocHref: /education/get-started
-        topicHref: /education/get-started/index
-      - name: Windows
-        tocHref: /education/windows
-        topicHref: /education/windows/index
-      - name: Windows
-        tocHref: /windows/configuration/
-        topicHref: /education/windows/index
-      - name: Windows
-        tocHref: /windows/deployment/
-        topicHref: /education/windows/index
-      - name: Windows
-        tocHref: /windows/Security/Application Control for Windows/
-        topicHref: /education/windows/index
+- name: Windows
+  tocHref: /windows/
+  topicHref: /windows/index
diff --git a/education/docfx.json b/education/docfx.json
index a9579639a6..8b2f9b3edf 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -66,7 +66,7 @@
         "garycentric",
         "v-stsavell",
         "beccarobins",
-        "v-stchambers"
+        "Stacyrch140"
       ]
     },
     "fileMetadata": {
diff --git a/education/index.yml b/education/index.yml
index 29efffa3ae..a41a668122 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -40,7 +40,7 @@ productDirectory:
       imageSrc: ./images/EDU-Lockbox.svg
       links:
         - url: /azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
-          text: Azure Active Directory feature deployment guide
+          text: Microsoft Entra feature deployment guide
         - url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-information-protection-deployment-acceleration-guide/ba-p/334423
           text: Azure information protection deployment acceleration guide
         - url: /defender-cloud-apps/get-started
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index adc2f3d815..0c9591c71b 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -13,7 +13,7 @@ ms.collection:
 
 # Reset devices with Autopilot Reset 
 
-IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
+IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
 
 To enable Autopilot Reset you must:
 
@@ -89,7 +89,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. 
 
-   - Is returned to a known good managed state, connected to Azure AD and MDM.
+   - Is returned to a known good managed state, connected to Microsoft Entra ID and MDM.
 
      ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png)
 
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index 12bc0daf1b..caa984b456 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -211,13 +211,13 @@ A firmware embedded key is only required to upgrade using Subscription Activatio
 
 ### What is a multiple activation key and how does it differ from using KMS, Active Directory based activation or Subscription Activation?
 
-A multiple activation key activates either individual computers or a group of computers by connecting directly to servers over the internet or by telephone. KMS, Active Directory based activation and subscription activation are bulk activation methods that work based on network proximity or joining to Active Directory or Azure Active Directory. The table below shows which methods can be used for each scenario.
+A multiple activation key activates either individual computers or a group of computers by connecting directly to servers over the internet or by telephone. KMS, Active Directory based activation and subscription activation are bulk activation methods that work based on network proximity or joining to Active Directory or Microsoft Entra ID. The table below shows which methods can be used for each scenario.
 
 | Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation |
 |-|-|:-:|:-:|:-:|:-:|
 | **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | |
-| **Azure AD Join** | Organization | X | X | | X |
-| **Hybrid Azure AD Join** | Organization | X | X | X | X |
+| **Microsoft Entra join** | Organization | X | X | | X |
+| **Microsoft Entra hybrid join** | Organization | X | X | X | X |
 
 ## Related links
 
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 8871798ac4..1453e64ad3 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -125,10 +125,10 @@ Table 3. Settings in the Security node in the Google Admin Console
 
 |Section|Settings|
 |--- |--- |
-|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.<br> Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
+|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.<br> Record these settings and use them to help configure your on-premises Active Directory or Microsoft Entra ID to mirror the current behavior of your Chromebook environment.|
 |Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.|
 |API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.|
-|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
+|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Microsoft Entra synchronization to replace Google-based SSO.|
 |Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
 
 **Identify locally configured settings to migrate**
@@ -306,7 +306,7 @@ Consider the following when you create your cloud services migration strategy:
 
 You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks.
 
-In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
+In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Microsoft Entra services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
 
 ### <a href="" id="select-windows-device-deploy"></a>
 
@@ -332,17 +332,17 @@ Record the combination of Windows device deployment strategies that you selected
 
 ### <a href="" id="plan-adservices"></a>
 
-**Plan for AD DS and Azure AD services**
+**Plan for AD DS and Microsoft Entra services**
 
-The next decision you'll need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services.
+The next decision you'll need to make concerns AD DS and Microsoft Entra services. You can run AD DS on-premises, in the cloud by using Microsoft Entra ID, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services.
 
-In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD.
+In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Microsoft Entra ID (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Microsoft Entra ID.
 
-Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD.
+Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Microsoft Entra ID, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Microsoft Entra ID, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Microsoft Entra ID.
 
-Table 5. Select on-premises AD DS, Azure AD, or hybrid
+Table 5. Select on-premises AD DS, Microsoft Entra ID, or hybrid
 
-|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
+|If you plan to...|On-premises AD DS|Microsoft Entra ID|Hybrid|
 |--- |--- |--- |--- |
 |Use Office 365||✔️|✔️|
 |Use Intune for management||✔️|✔️|
@@ -383,7 +383,7 @@ Record the device, user, and app management products and technologies that you s
 
 **Plan network infrastructure remediation**
 
-In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
+In addition to AD DS, Microsoft Entra ID, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
 
 Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary:
 
@@ -439,20 +439,22 @@ It's important that you perform any network infrastructure remediation first bec
 
 If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
 
-## Perform AD DS and Azure AD services deployment or remediation
+<a name='perform-ad-ds-and-azure-ad-services-deployment-or-remediation'></a>
+
+## Perform AD DS and Microsoft Entra services deployment or remediation
 
 
-It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
+It's important that you perform AD DS and Microsoft Entra services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Microsoft Entra ID) in place and up to necessary expectations.
 
-In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Azure AD, or both:
+In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Microsoft Entra deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Microsoft Entra ID, or both:
 
 - [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server)
 - [AD DS overview](/windows-server/identity/ad-ds/active-directory-domain-services)
-- [Azure AD documentation](/azure/active-directory/)
-- [Azure AD Premium](https://azure.microsoft.com/pricing/details/active-directory/)
+- [Microsoft Entra documentation](/azure/active-directory/)
+- [Microsoft Entra ID P1 or P2](https://azure.microsoft.com/pricing/details/active-directory/)
 - [Safely virtualizing Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
 
-If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+If you decided not to migrate to AD DS or Microsoft Entra ID as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
 ## Prepare device, user, and app management systems
 
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 1e8066b140..8f3304ae76 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,60 +1,62 @@
 ---
-title: Configure federation between Google Workspace and Azure AD
-description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
+title: Configure federation between Google Workspace and Microsoft Entra ID
+description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
 ms.date: 09/11/2023
 ms.topic: how-to
 appliesto:
 ---
 
-# Configure federation between Google Workspace and Azure AD
+# Configure federation between Google Workspace and Microsoft Entra ID
 
 This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\
-Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials.
+Once configured, users will be able to sign in to Microsoft Entra ID with their Google Workspace credentials.
 
 ## Prerequisites
 
-To configure Google Workspace as an IdP for Azure AD, the following prerequisites must be met:
+To configure Google Workspace as an IdP for Microsoft Entra ID, the following prerequisites must be met:
 
-1. An Azure AD tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
-    - If the federated domain hasn't yet been added to Azure AD, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
-    - Learn how to [Add your custom domain name using the Azure Active Directory portal](/azure/active-directory/fundamentals/add-custom-domain)
-1. Access to Azure AD with an account with the *Global Administrator* role
+1. A Microsoft Entra tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
+    - If the federated domain hasn't yet been added to Microsoft Entra ID, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
+    - Learn how to [Add your custom domain name using the Microsoft Entra admin center](/azure/active-directory/fundamentals/add-custom-domain)
+1. Access to Microsoft Entra ID with an account with the *Global Administrator* role
 1. Access to Google Workspace with an account with *super admin* privileges
 
 To test federation, the following prerequisites must be met:
 
 1. A Google Workspace environment, with users already created
     > [!IMPORTANT]
-    > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD.
-    > For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad).
-1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
+    > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID.
+    > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-azure-ad).
+1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
     - School Data Sync (SDS)
-    - Azure AD Connect sync for environment with on-premises AD DS
+    - Microsoft Entra Connect Sync for environment with on-premises AD DS
     - PowerShell scripts that call the Microsoft Graph API
     - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072)
 
-## Configure Google Workspace as an IdP for Azure AD
+<a name='configure-google-workspace-as-an-idp-for-azure-ad'></a>
+
+## Configure Google Workspace as an IdP for Microsoft Entra ID
 
 1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges
 1. Select **Apps > Web and mobile apps**
 1. Select **Add app > Search for apps** and search for *microsoft*
 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
    :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
-1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
+1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Microsoft Entra ID later
 1. On the **Service provider detail's** page
       - Select the option **Signed response**
       - Verify that the Name ID format is set to **PERSISTENT**
-      - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
+      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you may need to adjust the **Name ID** mapping.\
         If using Google auto-provisioning, select **Basic Information > Primary email**
       - Select **Continue**
-1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes
+1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
 
-    |Google Directory attributes|Azure AD attributes|
+    |Google Directory attributes|Microsoft Entra attributes|
     |-|-|
     |Basic Information: Primary Email|App attributes: IDPEmail|
 
     > [!IMPORTANT]
-    > You must ensure that your the Azure AD user accounts email match those in your Google Workspace.
+    > You must ensure that your the Microsoft Entra user accounts email match those in your Google Workspace.
 
 1. Select **Finish**
 
@@ -66,10 +68,12 @@ Now that the app is configured, you must enable it for the users in Google Works
 1. Select **User access**
 1. Select **ON for everyone > Save**
 
-## Configure Azure AD as a Service Provider (SP) for Google Workspace
+<a name='configure-azure-ad-as-a-service-provider-sp-for-google-workspace'></a>
 
-The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
-Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
+## Configure Microsoft Entra ID as a Service Provider (SP) for Google Workspace
+
+The configuration of Microsoft Entra ID consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
+Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with the *Global Administrator* role.
 
 ```powershell
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
@@ -125,12 +129,14 @@ SigningCertificate                    : <BASE64 encoded certificate>
 AdditionalProperties                  : {}
 ```
 
-## Verify federated authentication between Google Workspace and Azure AD
+<a name='verify-federated-authentication-between-google-workspace-and-azure-ad'></a>
+
+## Verify federated authentication between Google Workspace and Microsoft Entra ID
 
 From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:
 
 1. As username, use the email as defined in Google Workspace
 1. The user will be redirected to Google Workspace to sign in
-1. After Google Workspace authentication, the user will be redirected back to Azure AD and signed in
+1. After Google Workspace authentication, the user will be redirected back to Microsoft Entra ID and signed in
 
-:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
\ No newline at end of file
+:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index e7c2c92cd2..d9b96510a0 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -29,7 +29,7 @@ It's easy to be education ready when using Microsoft products. We recommend the
 
 1. Use an Office 365 Education tenant. 
 
-    With Office 365, you also have Azure Active Directory (Azure AD). To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+    With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
 
 2. Activate Intune for Education in your tenant.
 
@@ -39,11 +39,11 @@ It's easy to be education ready when using Microsoft products. We recommend the
    1. Provision the PC using one of these methods:
       * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
       * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
-   2. Join the PC to Azure Active Directory.
-      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
-      * Manually Azure AD join the PC during the Windows device setup experience.
+   2. Join the PC to Microsoft Entra ID.
+      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
+      * Manually Microsoft Entra join the PC during the Windows device setup experience.
    3. Enroll the PCs in MDM.
-      * If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
+      * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
    4. Ensure that needed assistive technology apps can be used.
       * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 
@@ -136,13 +136,15 @@ Provide an ad-free experience that is a safer, more private search option for K
 
 ### Configurations
 
-#### Azure AD and Office 365 Education tenant
+<a name='azure-ad-and-office-365-education-tenant'></a>
+
+#### Microsoft Entra ID and Office 365 Education tenant
 To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
 
 1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
-2. Domain join the Windows 10 PCs to your Azure AD tenant (this tenant is the same as your Office 365 tenant).
+2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
+4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
 > [!NOTE]
 > If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
 
@@ -154,4 +156,4 @@ To suppress ads only when the student signs into Bing with their Office 365 acco
 
 
 ## Related topics
-[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
\ No newline at end of file
+[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index f7ec888e80..43162f541c 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows 10 in a school district 
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID, use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
@@ -9,7 +9,7 @@ appliesto:
 
 # Deploy Windows 10 in a school district
 
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID; and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for district deployment
 
@@ -68,9 +68,9 @@ This district configuration has the following characteristics:
   > [!NOTE]
   > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
   
-* The devices use Azure AD in Office 365 Education for identity management.
+* The devices use Microsoft Entra ID in Office 365 Education for identity management.
 
-* If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+* If you've on-premises AD DS, you can [integrate Microsoft Entra ID with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 
 * Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
 
@@ -155,7 +155,7 @@ The high-level process for deploying and configuring devices within individual c
 
 2. On the admin device, create and configure the Office 365 Education subscription that you'll use for the district’s classrooms.
 
-3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration).
+3. On the admin device, configure integration between on-premises AD DS and Microsoft Entra ID (if you've an on premises AD DS configuration).
 
 4. On the admin device, create and configure a Microsoft Store for Business portal.
 
@@ -167,7 +167,7 @@ The high-level process for deploying and configuring devices within individual c
 
 8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
 
-9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
+9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Microsoft Entra integration.
 
 > [!div class="mx-imgBorder"]
 > ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works")
@@ -190,7 +190,7 @@ Before you select the deployment and management methods, you need to review the
 
 |Scenario feature |Cloud-centric|On-premises and cloud|
 |---|---|---|
-|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS)  |  AD DS integrated with Azure AD |
+|Identity management | Microsoft Entra ID (stand-alone or integrated with on-premises AD DS)  |  AD DS integrated with Microsoft Entra ID |
 |Windows 10 deployment   | MDT only  |  Microsoft Configuration Manager with MDT |
 |Configuration setting management  | Intune  |  Group Policy<br/><br/>Intune|
 |App and update management |  Intune |Microsoft Configuration Manager<br/><br/>Intune|
@@ -239,7 +239,7 @@ For a district, there are many ways to manage the configuration setting for user
 |Method|Description|
 |--- |--- |
 |Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. <br> Select this method when you <li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).<li> Want more granular control of device and user settings. <li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Can manage a required setting only by using Group Policy. <br>The advantages of this method include: <li>No cost beyond the AD DS infrastructure. <li>A larger number of settings (compared to Intune).<br>The disadvantages of this method are that it:<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).<li> Has rudimentary app management capabilities.<li> can't  deploy Windows 10 operating systems.|
-|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br>Select this method when you:<li> Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Don’t need granular control over device and user settings (compared to Group Policy).<li>Don’t have an existing AD DS infrastructure.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<li>Can manage a required setting only by using Intune.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require any on-premises infrastructure.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>Doesn’t offer granular control over device and user settings (compared to Group Policy).<li>can't  deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Microsoft Entra ID.<br>Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br>Select this method when you:<li> Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Don’t need granular control over device and user settings (compared to Group Policy).<li>Don’t have an existing AD DS infrastructure.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<li>Can manage a required setting only by using Intune.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require any on-premises infrastructure.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>Doesn’t offer granular control over device and user settings (compared to Group Policy).<li>can't  deploy Windows 10 operating systems.|
 
 *Table 4. Configuration setting management methods*
 
@@ -261,8 +261,8 @@ Use the information in Table 6 to determine which combination of app and update
 |Selection|Management method|
 |--- |--- |
 |Microsoft Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:<li>Selected Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<li>Want to manage AD DS domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Want to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy Windows 10 operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large numbers of users and devices.<br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
-|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that aren't  domain joined.<li>Want to manage Azure AD domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>can't  deploy Windows 10 operating systems.|
-|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br><br>Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br><br>Select this method when you:<br><li>Selected Microsoft Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Azure AD domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br><br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br><br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Carries an extra cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Microsoft Entra ID.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that aren't  domain joined.<li>Want to manage Microsoft Entra domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>can't  deploy Windows 10 operating systems.|
+|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br><br>Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br><br>Select this method when you:<br><li>Selected Microsoft Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Microsoft Entra domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br><br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br><br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Carries an extra cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
 
 *Table 6. App and update management products*
 
@@ -428,7 +428,7 @@ Now that you've created your new Office 365 Education subscription, add the doma
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Microsoft Entra Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
@@ -450,7 +450,7 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi
 *Table 10. Windows PowerShell commands to enable or disable automatic tenant join*
 
 > [!NOTE]
-> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+> If your institution has AD DS, then disable automatic tenant join. Instead, use Microsoft Entra integration with AD DS to add users to your Office 365 tenant.
 
 ### Disable automatic licensing
 
@@ -468,129 +468,143 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
 
 *Table 11. Windows PowerShell commands to enable or disable automatic licensing*
 
-### Enable Azure AD Premium
+<a name='enable-azure-ad-premium'></a>
 
-When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD-integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+### Enable Microsoft Entra ID P1 or P2
 
-Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+When you create your Office 365 subscription, you create an Office 365 tenant that includes a Microsoft Entra directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Microsoft Entra integrated apps. Microsoft Entra ID is available in Free, Basic, and Premium editions. Microsoft Entra ID Free, which is included in Office 365 Education, has fewer features than Microsoft Entra Basic, which in turn has fewer features than Microsoft Entra ID P1 or P2.
 
-The following Azure AD Premium features aren't  in Azure AD Basic:
+Educational institutions can obtain Microsoft Entra Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Microsoft Entra ID access by completing the steps in [Step 3: Activate your Microsoft Entra ID access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+
+The following Microsoft Entra ID P1 or P2 features aren't  in Microsoft Entra Basic:
 
 * Allow designated users to manage group membership
 * Dynamic group membership based on user metadata
-* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks))
+* Microsoft Entra multifactor authentication (MFA; see [What is Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-howitworks))
 * Identify cloud apps that your users run
 * Self-service recovery of BitLocker
 * Add local administrator accounts to Windows 10 devices
-* Azure AD Connect health monitoring
+* Microsoft Entra Connect Health monitoring
 * Extended reporting capabilities
 
-You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+You can assign Microsoft Entra ID P1 or P2 licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 to only those users.
 
-You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process.
+You can sign up for Microsoft Entra ID P1 or P2, and then assign licenses to users. In this section, you sign up for Microsoft Entra ID P1 or P2. You'll assign Microsoft Entra ID P1 or P2 licenses to users later in the deployment process.
 
 For more information about:
 
-* Azure AD editions and the features in each, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
-* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
+* Microsoft Entra editions and the features in each, see [Microsoft Entra editions](/azure/active-directory/fundamentals/active-directory-whatis).
+* How to enable Microsoft Entra ID P1 or P2, see [Associate a Microsoft Entra directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
 
 #### Summary
 
-You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
+You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Microsoft Entra ID P1 or P2 enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
 
 ## Select an Office 365 user account–creation method
 
 Now that you've an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision:
 
-* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain.
-* Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+* Method 1: Automatically synchronize your on-premises AD DS domain with Microsoft Entra ID. Select this method if you've an on-premises AD DS domain.
+* Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Microsoft Entra ID. Select this method if you don’t have an on-premises AD DS domain.
 
-### Method 1: Automatic synchronization between AD DS and Azure AD
+<a name='method-1-automatic-synchronization-between-ad-ds-and-azure-ad'></a>
 
-In this method, you've an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+### Method 1: Automatic synchronization between AD DS and Microsoft Entra ID
+
+In this method, you've an on-premises AD DS domain. As shown in Figure 5, the Microsoft Entra Connector tool automatically synchronizes AD DS with Microsoft Entra ID. When you add or change any user accounts in AD DS, the Microsoft Entra Connector tool automatically updates Microsoft Entra ID.
 
 > [!NOTE]
-> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
+> Microsoft Entra Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
 
 > [!div class="mx-imgBorder"]
-> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
+> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Microsoft Entra ID")
 
-*Figure 5. Automatic synchronization between AD DS and Azure AD*
+*Figure 5. Automatic synchronization between AD DS and Microsoft Entra ID*
 
-For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section later in this guide.
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Microsoft Entra ID](#integrate-on-premises-ad-ds-with-azure-ad) section later in this guide.
 
-### Method 2: Bulk import into Azure AD from a .csv file
+<a name='method-2-bulk-import-into-azure-ad-from-a-csv-file'></a>
 
-In this method, you've no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+### Method 2: Bulk import into Microsoft Entra ID from a .csv file
+
+In this method, you've no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Microsoft Entra ID. The .csv file must be in the format that Office 365 specifies.
 
 > [!div class="mx-imgBorder"]
-> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
+> ![Bulk import into Microsoft Entra ID from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Microsoft Entra ID from other sources")
 
-*Figure 6. Bulk import into Azure AD from other sources*
+*Figure 6. Bulk import into Microsoft Entra ID from other sources*
 
 To implement this method, perform the following steps:
 
 1. Export the student information from the source.
 
    Put the student information in the format the bulk-import feature requires.
-2. Bulk-import the student information into Azure AD.
+2. Bulk-import the student information into Microsoft Entra ID.
 
    For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.
 
 #### Summary
 
-In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Microsoft Entra ID (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
 
-## Integrate on-premises AD DS with Azure AD
+<a name='integrate-on-premises-ad-ds-with-azure-ad'></a>
 
-You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+## Integrate on-premises AD DS with Microsoft Entra ID
+
+You can integrate your on-premises AD DS domain with Microsoft Entra ID to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Microsoft Entra ID with the Microsoft Entra Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
 
 > [!NOTE]
 > If your institution doesn't  have an on-premises AD DS domain, you can skip this section.
 
 ### Select a synchronization model
 
-Before you deploy AD DS and Azure AD synchronization, determine where you want to deploy the server that runs Azure AD Connect.
+Before you deploy AD DS and Microsoft Entra synchronization, determine where you want to deploy the server that runs Microsoft Entra Connect.
 
-You can deploy the Azure AD Connect tool:
+You can deploy the Microsoft Entra Connect tool:
 
-- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises.** As shown in Figure 7, Microsoft Entra Connect runs on premises which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
+  > ![Microsoft Entra Connect on premises.](images/edu-districtdeploy-fig7.png "Microsoft Entra Connect on premises")
 
-  *Figure 7. Azure AD Connect on premises*
+  *Figure 7. Microsoft Entra Connect on premises*
 
-- **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+- **In Azure.** As shown in Figure 8, Microsoft Entra Connect runs on a VM in Microsoft Entra ID, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
+  > ![Microsoft Entra Connect in Azure.](images/edu-districtdeploy-fig8.png "Microsoft Entra Connect in Azure")
 
-  *Figure 8. Azure AD Connect in Azure*
+  *Figure 8. Microsoft Entra Connect in Azure*
 
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
+This guide describes how to run Microsoft Entra Connect on premises. For information about running Microsoft Entra Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
 
-### Deploy Azure AD Connect on premises
+<a name='deploy-azure-ad-connect-on-premises'></a>
 
-In this synchronization model (illustrated in Figure 7), you run Azure AD Connect on premises on a physical device or in a VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD and includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+### Deploy Microsoft Entra Connect on premises
 
-#### To deploy AD DS and Azure AD synchronization
+In this synchronization model (illustrated in Figure 7), you run Microsoft Entra Connect on premises on a physical device or in a VM. Microsoft Entra Connect synchronizes AD DS user and group accounts with Microsoft Entra ID and includes a wizard that helps you configure Microsoft Entra Connect for your AD DS domain and Office 365 subscription. First, you install Microsoft Entra Connect; then, you run the wizard to configure it for your institution.
 
-1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](/azure/active-directory/cloud-sync/how-to-prerequisites).
+<a name='to-deploy-ad-ds-and-azure-ad-synchronization'></a>
 
-2. In the VM or on the physical device that will run Azure AD Connect, sign in with a domain administrator account.
+#### To deploy AD DS and Microsoft Entra synchronization
 
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
+1. Configure your environment to meet the prerequisites for installing Microsoft Entra Connect by performing the steps in [Prerequisites for Microsoft Entra Connect](/azure/active-directory/cloud-sync/how-to-prerequisites).
 
-4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
+2. In the VM or on the physical device that will run Microsoft Entra Connect, sign in with a domain administrator account.
 
-Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+3. Install Microsoft Entra Connect by performing the steps in [Install Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
+
+4. Configure Microsoft Entra Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
+
+Now that you've used on premises Microsoft Entra Connect to deploy AD DS and Microsoft Entra synchronization, you’re ready to verify that Microsoft Entra Connect is synchronizing AD DS user and group accounts with Microsoft Entra ID.
 
 ### Verify synchronization
 
-Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+Microsoft Entra Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Microsoft Entra ID in the Office 365 admin console.
 
-#### To verify AD DS and Azure AD synchronization
+<a name='to-verify-ad-ds-and-azure-ad-synchronization'></a>
+
+#### To verify AD DS and Microsoft Entra synchronization
 
 1. Open https://portal.office.com in your web browser.
 
@@ -611,11 +625,11 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
    The list of security group members should mirror the group membership for the corresponding security group in AD DS.
 8. Close the browser.
 
-Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+Now that you've verified Microsoft Entra Connect synchronization, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
 #### Summary
 
-In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+In this section, you selected your synchronization model, deployed Microsoft Entra Connect, and verified that Microsoft Entra ID is synchronizing properly.
 
 ## Bulk-import user and group accounts into AD DS
 
@@ -663,7 +677,7 @@ For more information about how to import user accounts into AD DS by using:
 
 #### Summary
 
-In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you've Microsoft Entra Connect, it automatically synchronizes the new AD DS user and group accounts to Microsoft Entra ID. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2 in the [Assign user licenses for Microsoft Entra ID P1 or P2](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
 
 ## Bulk-import user and group accounts into Office 365
 
@@ -674,7 +688,7 @@ You can bulk-import user and group accounts directly into Office 365, reducing t
 Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
 
 > [!NOTE]
-> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you've many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
 
@@ -692,7 +706,7 @@ The email accounts are assigned temporary passwords on creation. You must commun
 Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
 
 > [!NOTE]
-> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
@@ -715,13 +729,15 @@ For information about creating email distribution groups, see [Create a Microsof
 
 #### Summary
 
-You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
-## Assign user licenses for Azure AD Premium
+<a name='assign-user-licenses-for-azure-ad-premium'></a>
 
-If you enabled Azure AD Premium in the [Enable Azure AD Premium](#enable-azure-ad-premium) section, you must now assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+## Assign user licenses for Microsoft Entra ID P1 or P2
 
-For more information about assigning user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+If you enabled Microsoft Entra ID P1 or P2 in the [Enable Microsoft Entra ID P1 or P2](#enable-azure-ad-premium) section, you must now assign Microsoft Entra ID P1 or P2 licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 only to those users.
+
+For more information about assigning user licenses for Microsoft Entra ID P1 or P2, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
 
 ## Create and configure a Microsoft Store for Business portal
 
@@ -1048,7 +1064,7 @@ Use the information in Table 17 to help you determine whether you need to config
 
 |Recommendation|Description|
 |--- |--- |
-|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't  use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br>**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. <br>**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.<br>****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
+|Use of Microsoft accounts|You want faculty and students to use only Microsoft Entra accounts for institution-owned devices. For these devices, don't  use Microsoft accounts or associate a Microsoft account with the Microsoft Entra accounts.<br>**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Microsoft Entra account on these devices. <br>**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.<br>****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
 |Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br>**Group Policy**. Create a Local Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. <br>**Intune**. Not available.|
 |Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br> **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br> **Intune**. Not available.|
 |Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br>**Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?<br>**Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index cdae48880d..d1c9aea19e 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows 10 in a school 
-description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID. Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
@@ -9,7 +9,7 @@ appliesto:
 
 # Deploy Windows 10 in a school
 
-This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID; and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for school deployment
 
@@ -46,8 +46,8 @@ This school configuration has the following characteristics:
   > [!NOTE]
   > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
 
-- The devices use Azure AD in Office 365 Education for identity management.
-- If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+- The devices use Microsoft Entra ID in Office 365 Education for identity management.
+- If you've on-premises AD DS, you can [integrate Microsoft Entra ID with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 - Use [Intune](/mem/intune/), [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up), or Group Policy in AD DS to manage devices.
 - Each device supports a one-student-per-device or multiple-students-per-device scenario.
 - The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
@@ -97,11 +97,11 @@ The high-level process for deploying and configuring devices within individual c
 
 1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
 2. On the admin device, create and configure the Office 365 Education subscription that you'll use for each classroom in the school.
-3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration).
+3. On the admin device, configure integration between on-premises AD DS and Microsoft Entra ID (if you've an on premises AD DS configuration).
 4. On the admin device, create and configure a Microsoft Store for Business portal.
 5. On the admin device, prepare for management of the Windows 10 devices after deployment.
 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
-7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
+7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Microsoft Entra integration.
 
 :::image type="content" source="images/deploy-win-10-school-figure3.png" alt-text="See the high level process of configuring Windows client devices in a classroom and the school":::
 
@@ -236,7 +236,7 @@ Now that you've created your new Office 365 Education subscription, add the doma
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Microsoft Entra Connect, then automatic tenant join is disabled.
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
@@ -261,7 +261,7 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by
 ---
 
 > [!NOTE]
-> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+> If your institution has AD DS, then disable automatic tenant join. Instead, use Microsoft Entra integration with AD DS to add users to your Office 365 tenant.
 
 ### Disable automatic licensing
 
@@ -282,13 +282,15 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
 
 ---
 
-### Enable Azure AD Premium
+<a name='enable-azure-ad-premium'></a>
 
-When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD has different editions, which may include Office 365 Education. For more information, see [Introduction to Azure Active Directory Tenants](/microsoft-365/education/deploy/intro-azure-active-directory).
+### Enable Microsoft Entra ID P1 or P2
 
-Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+When you create your Office 365 subscription, you create an Office 365 tenant that includes a Microsoft Entra directory. Microsoft Entra ID is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Microsoft Entra ID–integrated apps. Microsoft Entra ID has different editions, which may include Office 365 Education. For more information, see [Introduction to Microsoft Entra tenants](/microsoft-365/education/deploy/intro-azure-active-directory).
 
-The Azure AD Premium features that aren't in Azure AD Basic include:
+Educational institutions can obtain Microsoft Entra Basic edition licenses at no cost. After you obtain your licenses, activate your Microsoft Entra ID access by completing the steps in [Step 3: Activate your Microsoft Entra ID access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+
+The Microsoft Entra ID P1 or P2 features that aren't in Microsoft Entra Basic include:
 
 - Allow designated users to manage group membership
 - Dynamic group membership based on user metadata
@@ -297,104 +299,116 @@ The Azure AD Premium features that aren't in Azure AD Basic include:
 - Automatic enrollment in a mobile device management (MDM) system (such as Intune)
 - Self-service recovery of BitLocker
 - Add local administrator accounts to Windows 10 devices
-- Azure AD Connect health monitoring
+- Microsoft Entra Connect Health monitoring
 - Extended reporting capabilities
 
-You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+You can assign Microsoft Entra ID P1 or P2 licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 to only those users.
 
-You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process.
+You can sign up for Microsoft Entra ID P1 or P2, and then assign licenses to users. In this section, you sign up for Microsoft Entra ID P1 or P2. You'll assign Microsoft Entra ID P1 or P2 licenses to users later in the deployment process.
 
 For more information, see:
 
-- [Azure Active Directory licenses](/azure/active-directory/fundamentals/active-directory-whatis)
-- [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium)
+- [Microsoft Entra ID licenses](/azure/active-directory/fundamentals/active-directory-whatis)
+- [Sign up for Microsoft Entra ID P1 or P2](/azure/active-directory/fundamentals/active-directory-get-started-premium)
 
 ### Summary
-You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Microsoft Entra ID P1 or P2 enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
 
 ## Select an Office 365 user account–creation method
 
 
 Now that you've an Office 365 subscription, you need to determine how you'll create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
 
-- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain.
-- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Microsoft Entra ID. Select this method if you've an on-premises AD DS domain.
+- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Microsoft Entra ID. Select this method if you don’t have an on-premises AD DS domain.
 
-### Method 1: Automatic synchronization between AD DS and Azure AD
+<a name='method-1-automatic-synchronization-between-ad-ds-and-azure-ad'></a>
 
-In this method, you've an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+### Method 1: Automatic synchronization between AD DS and Microsoft Entra ID
+
+In this method, you've an on-premises AD DS domain. As shown in Figure 4, the Microsoft Entra Connector tool automatically synchronizes AD DS with Microsoft Entra ID. When you add or change any user accounts in AD DS, the Microsoft Entra Connector tool automatically updates Microsoft Entra ID.
 
 > [!NOTE]
-> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap).
+> Microsoft Entra Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Microsoft Entra ID](/azure/active-directory/fundamentals/sync-ldap).
 
 :::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Directory Services and Azure AD.":::
 
-*Figure 4. Automatic synchronization between AD DS and Azure AD*
+*Figure 4. Automatic synchronization between AD DS and Microsoft Entra ID*
 
-For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Microsoft Entra ID](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
 
-### Method 2: Bulk import into Azure AD from a .csv file
+<a name='method-2-bulk-import-into-azure-ad-from-a-csv-file'></a>
 
-In this method, you've no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies.
+### Method 2: Bulk import into Microsoft Entra ID from a .csv file
+
+In this method, you've no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Microsoft Entra ID. The `.csv` file must be in the format that Office 365 specifies.
 
 :::image type="content" source="images/deploy-win-10-school-figure5.png" alt-text="Create a csv file with student information, and import the csv file into Azure AD.":::
 
-*Figure 5. Bulk import into Azure AD from other sources*
+*Figure 5. Bulk import into Microsoft Entra ID from other sources*
 
 To implement this method, perform the following steps:
 
 1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires.
-2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
+2. Bulk-import the student information into Microsoft Entra ID. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
 
 ### Summary
 
-In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Microsoft Entra ID (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
 
-## Integrate on-premises AD DS with Azure AD
+<a name='integrate-on-premises-ad-ds-with-azure-ad'></a>
 
-You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+## Integrate on-premises AD DS with Microsoft Entra ID
+
+You can integrate your on-premises AD DS domain with Microsoft Entra ID to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Microsoft Entra ID with the Microsoft Entra Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
 
 > [!NOTE]
 > If your institution doesn't have an on-premises AD DS domain, you can skip this section.
 
 ### Select synchronization model
 
-Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect.
+Before you deploy AD DS and Microsoft Entra synchronization, you need to determine where you want to deploy the server that runs Microsoft Entra Connect.
 
-You can deploy the Azure AD Connect tool by using one of the following methods:
+You can deploy the Microsoft Entra Connect tool by using one of the following methods:
 
-- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises**: As shown in Figure 6, Microsoft Entra Connect runs on premises, which have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
-  :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine.":::
+  :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Microsoft Entra Connect runs on-premises and uses a virtual machine.":::
 
-  *Figure 6. Azure AD Connect on premises*
+  *Figure 6. Microsoft Entra Connect on premises*
 
-- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+- **In Azure**: As shown in Figure 7, Microsoft Entra Connect runs on a VM in Microsoft Entra which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
-  :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Azure AD Connect runs on a VM in Azure AD, and uses a VPN gateway on-premises.":::
+  :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Microsoft Entra Connect runs on a VM in Microsoft Entra ID, and uses a VPN gateway on-premises.":::
 
-  *Figure 7. Azure AD Connect in Azure*
+  *Figure 7. Microsoft Entra Connect in Azure*
 
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
+This guide describes how to run Microsoft Entra Connect on premises. For information about running Microsoft Entra Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
 
-### Deploy Azure AD Connect on premises
+<a name='deploy-azure-ad-connect-on-premises'></a>
 
-In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+### Deploy Microsoft Entra Connect on premises
 
-#### To deploy AD DS and Azure AD synchronization
+In this synchronization model (illustrated in Figure 6), you run Microsoft Entra Connect on premises on a physical device or VM. Microsoft Entra Connect synchronizes AD DS user and group accounts with Microsoft Entra ID. Microsoft Entra Connect includes a wizard that helps you configure Microsoft Entra Connect for your AD DS domain and Office 365 subscription. First, you install Microsoft Entra Connect; then, you run the wizard to configure it for your institution.
 
-1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites).
-2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation).
-4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+<a name='to-deploy-ad-ds-and-azure-ad-synchronization'></a>
 
-Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+#### To deploy AD DS and Microsoft Entra synchronization
+
+1. Configure your environment to meet the prerequisites for installing Microsoft Entra Connect by performing the steps in [Prerequisites for Microsoft Entra Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites).
+2. On the VM or physical device that will run Microsoft Entra Connect, sign in with a domain administrator account.
+3. Install Microsoft Entra Connect by performing the steps in [Install Microsoft Entra Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation).
+4. Configure Microsoft Entra Connect features based on your institution’s requirements. For more information, see [Microsoft Entra Connect Sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+
+Now that you've used on premises Microsoft Entra Connect to deploy AD DS and Microsoft Entra synchronization, you’re ready to verify that Microsoft Entra Connect is synchronizing AD DS user and group accounts with Microsoft Entra ID.
 
 ### Verify synchronization
 
-Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+Microsoft Entra Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Microsoft Entra ID in the Office 365 admin console.
 
-#### To verify AD DS and Azure AD synchronization
+<a name='to-verify-ad-ds-and-azure-ad-synchronization'></a>
+
+#### To verify AD DS and Microsoft Entra synchronization
 
 1. In your web browser, go to [https://portal.office.com](https://portal.office.com).
 2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
@@ -406,11 +420,11 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
 8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
 9. Close the browser.
 
-Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+Now that you've verified Microsoft Entra Connect synchronization, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
 ### Summary
 
-In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+In this section, you selected your synchronization model, deployed Microsoft Entra Connect, and verified that Microsoft Entra ID is synchronizing properly.
 
 ## Bulk-import user and group accounts into AD DS
 
@@ -464,7 +478,7 @@ For more information about how to import user accounts into AD DS by using:
 
 ### Summary
 
-In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you've Microsoft Entra Connect, it automatically synchronizes the new AD DS user and group accounts to Microsoft Entra ID. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2 in the [Assign user licenses for Microsoft Entra ID P1 or P2](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
 
 ## Bulk-import user accounts into Office 365
 
@@ -490,7 +504,7 @@ The email accounts are assigned temporary passwords upon creation. Communicate t
 Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
 
 > [!NOTE]
-> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 For information about creating security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups).
 
@@ -512,18 +526,20 @@ For information about how to create security groups, see [Create a group in the
 
 ### Summary
 
-Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
-## Assign user licenses for Azure AD Premium
+<a name='assign-user-licenses-for-azure-ad-premium'></a>
 
-Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost.
+## Assign user licenses for Microsoft Entra ID P1 or P2
 
-You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+Microsoft Entra ID is available in Free, Basic, and Premium editions. Microsoft Entra ID Free, which is included in Office 365 Education, has fewer features than Microsoft Entra Basic, which in turn has fewer features than Microsoft Entra ID P1 or P2. Educational institutions can obtain Microsoft Entra Basic licenses at no cost and Microsoft Entra ID P1 or P2 licenses at a reduced cost.
+
+You can assign Microsoft Entra ID P1 or P2 licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 only to those users.
 
 For more information about:
 
-- Azure AD editions, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
-- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+- Microsoft Entra editions, see [Microsoft Entra editions](/azure/active-directory/fundamentals/active-directory-whatis).
+- How to assign user licenses for Microsoft Entra ID P1 or P2, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
 
 ## Create and configure a Microsoft Store for Business portal
 
@@ -546,7 +562,7 @@ To create and configure your Microsoft Store for Business portal, use the admini
 1. In Microsoft Edge or Internet Explorer, go to [https://microsoft.com/business-store](https://microsoft.com/business-store).
 2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
 
-    If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+    If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 1. On the Microsoft Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
 2. On the **Microsoft Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
@@ -716,7 +732,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 ---
 | Recommendation | Description |
 | --- | --- |
-| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>**Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
+| **Use of Microsoft accounts** | You want faculty and students to use only Microsoft Entra accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Microsoft Entra accounts.<br/><br/>Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Microsoft Entra account on these devices.<br/><br/>**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>**Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
 | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>**Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).<br/><br/>**Intune**: Not available |
 | **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.<br/><br/>**Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You'll specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br/><br/>**Intune**: Not available. |
 | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>**Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).<br/><br/>**Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. |
diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md
index 408976797e..d09c408d8a 100644
--- a/education/windows/edu-take-a-test-kiosk-mode.md
+++ b/education/windows/edu-take-a-test-kiosk-mode.md
@@ -199,7 +199,7 @@ To create a local account, and configure Take a Test in kiosk mode using the Set
    :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true":::
 
    > [!NOTE]  
-   > To sign-in with a local account on a device that is joined to Azure AD or Active Directory, you must prefix the username with either `<computername>\` or `.\`.
+   > To sign-in with a local account on a device that is joined to Microsoft Entra ID or Active Directory, you must prefix the username with either `<computername>\` or `.\`.
 
 ---
 
@@ -219,4 +219,4 @@ The following animation shows the process of signing in to the test-taking accou
 [MEM-2]: /mem/intune/configuration/settings-catalog
 
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
\ No newline at end of file
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 35200347df..4c9144fdb9 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,6 +1,6 @@
 ---
 title: Configure federated sign-in for Windows devices
-description: Learn about federated sign-in in Windows how to configure it.
+description: Learn how federated sign-in in Windows works and how to configure it.
 ms.date: 09/11/2023
 ms.topic: how-to
 appliesto:
@@ -15,7 +15,7 @@ ms.collection:
 
 Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
 This feature is called *federated sign-in*.\
-Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 
 ## Benefits of federated sign-in
 
@@ -28,27 +28,27 @@ With fewer credentials to remember and a simplified sign-in process, students ar
 
 To implement federated sign-in, the following prerequisites must be met:
 
-1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
+1. A Microsoft Entra tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Microsoft Entra ID?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
     >[!NOTE]
-    >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
+    >If your organization uses a third-party federation solution, you can configure single sign-on to Microsoft Entra ID if the solution is compatible with Microsoft Entra ID. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
 
-    - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
-    - For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
+    - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Microsoft Entra ID, see [Configure federation between Google Workspace and Microsoft Entra ID](configure-aad-google-trust.md)
+    - For a step-by-step guide on how to configure **Clever** as an identity provider for Microsoft Entra ID, see [Setup guide for Badges into Windows and Microsoft Entra ID][EXT-1]
 1. Individual IdP accounts created: each user requires an account defined in the third-party IdP platform
-1. Individual Azure AD accounts created: each user requires a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
+1. Individual Microsoft Entra accounts created: each user requires a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
     - [School Data Sync (SDS)][SDS-1]
-    - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
+    - [Microsoft Entra Connect Sync][AZ-3] for environment with on-premises AD DS
     - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
     - provisioning tools offered by the IdP
 
-    For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
-1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
+    For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
+1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
 1. Enable federated sign-in on the Windows devices
 
 To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
 
 > [!IMPORTANT]
-> WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAML 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
+> WS-Fed is the only supported federated protocol to join a device to Microsoft Entra ID. If you have a SAML 2.0 IdP, it's recommended to complete the Microsoft Entra join process using one of the following methods:
 > - Provisioning packages (PPKG)
 > - Windows Autopilot self-deploying mode
 
@@ -173,7 +173,7 @@ As users enter their username, they're redirected to the identity provider sign-
 
 > [!IMPORTANT]
 > For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
-> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Azure AD tenant name is configured.
+> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Microsoft Entra tenant name is configured.
 
 ## Important considerations
 
@@ -196,29 +196,33 @@ The following issues are known to affect student shared devices:
 
 For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3].
 
-### Preferred Azure AD tenant name
+<a name='preferred-azure-ad-tenant-name'></a>
 
-To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\
-When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
+### Preferred Microsoft Entra tenant name
+
+To improve the user experience, you can configure the *preferred Microsoft Entra tenant name* feature.\
+When using preferred Microsoft Entra tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
 
 For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
 
-### Identity matching in Azure AD
+<a name='identity-matching-in-azure-ad'></a>
 
-When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD.
-After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
+### Identity matching in Microsoft Entra ID
+
+When a Microsoft Entra user is federated, the user's identity from the IdP must match an existing user object in Microsoft Entra ID.
+After the token sent by the IdP is validated, Microsoft Entra ID searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
 
 > [!NOTE]
 > The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it.
 
 If the matching object is found, the user is signed-in. Otherwise, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
 
-:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Screenshot of Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
+:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Screenshot of Microsoft Entra sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
 
 > [!IMPORTANT]
 > The ImmutableId matching is case-sensitive.
 
-The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\
+The ImmutableId is typically configured when the user is created in Microsoft Entra ID, but it can also be updated later.\
 In a scenario where a user is federated and you want to change the ImmutableId, you must:
 
 1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain)
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 14121791b1..4e8222d98d 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -32,10 +32,10 @@ Users in a Microsoft-verified academic organization with Microsoft 365 accounts
 
 Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 365 admin center*, via volume licensing agreements, or through partner resellers.
 
-When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Azure Active Directory (Azure AD) tenant. If you don't have an Azure AD tenant:
+When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Microsoft Entra tenant. If you don't have a Microsoft Entra tenant:
 
-- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes an Azure AD tenant  
-- Non-Microsoft-verified academic organizations can set up a free Azure AD tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
+- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes a Microsoft Entra tenant  
+- Non-Microsoft-verified academic organizations can set up a free Microsoft Entra tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
 
 ### Direct purchase
 
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 8d3a93691a..a78beaa537 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -15,148 +15,111 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 07/28/2023
+  ms.date: 08/07/2023
 
 highlightedContent:
   items:
-  - title: Get started with Windows 11
+  - title: Get started with Windows 11 SE
     itemType: get-started
-    url: /windows/whats-new/windows-11-overview
+    url: windows-11-se-overview.md
   - title: Windows 11, version 22H2
     itemType: whats-new
     url: /windows/whats-new/whats-new-windows-11-version-22H2
-  - title: Windows 11, version 22H2 group policy settings reference 
-    itemType: download
-    url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
-  - title: Windows release health
-    itemType: whats-new
-    url: /windows/release-health
-  - title: Windows commercial licensing
-    itemType: overview
-    url: /windows/whats-new/windows-licensing
-  - title: Windows 365 documentation
-    itemType: overview
-    url: /windows-365
   - title: Explore all Windows trainings and learning paths for IT pros
     itemType: learn
     url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
-  - title: Enroll Windows client devices in Microsoft Intune
+  - title: Deploy applications to Windows 11 SE with Intune
     itemType: how-to-guide
-    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
+    url: /education/windows/tutorial-deploy-apps-winse
 
 productDirectory:
   title: Get started
   items:
-
-    - title: Hardware security
-      imageSrc: /media/common/i_usb.svg
+    - title: Learn how to deploy Windows
+      imageSrc: /media/common/i_deploy.svg
       links:
-        - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
-          text: Trusted Platform Module
-        - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
-          text: Microsoft Pluton
-        - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
-          text: Windows Defender System Guard
-        - url: /windows-hardware/design/device-experiences/oem-vbs
-          text: Virtualization-based security (VBS)
-        - url: /windows-hardware/design/device-experiences/oem-highly-secure-11
-          text: Secured-core PC
-        - url: /windows/security/hardware-security
-          text: Learn more about hardware security >
-
-    - title: OS security
-      imageSrc: /media/common/i_threat-protection.svg
+        - url: /education/windows/tutorial-school-deployment/
+          text: "Tutorial: deploy and manage Windows devices in a school"
+        - url: /education/windows/tutorial-school-deployment/enroll-autopilot
+          text: Enrollment in Intune with Windows Autopilot
+        - url: use-set-up-school-pcs-app.md
+          text: Deploy devices with Set up School PCs
+        - url: /windows/deployment
+          text: Learn more about Windows deployment >
+    - title: Learn how to secure Windows
+      imageSrc: /media/common/i_security-management.svg
       links:
-        - url: /windows/security/operating-system-security
-          text: Trusted boot
-        - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
-          text: Windows security settings
-        - url: 	/windows/security/operating-system-security/data-protection/bitlocker/
-          text: BitLocker
-        - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
-          text: Windows security baselines
-        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
-          text: MMicrosoft Defender SmartScreen
-        - url: /windows/security/operating-system-security
-          text: Learn more about OS security >
-
-    - title: Identity protection
-      imageSrc: /media/common/i_identity-protection.svg
-      links:
-        - url: /windows/security/identity-protection/hello-for-business
-          text: Windows Hello for Business
-        - url: /windows/security/identity-protection/credential-guard
-          text: Credential Guard
-        - url: /windows-server/identity/laps/laps-overview
-          text: Windows LAPS (Local Administrator Password Solution)
-        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
-          text: Enhanced phishing protection with SmartScreen
-        - url: /education/windows/federated-sign-in
-          text: Federated sign-in (EDU)
-        - url: /windows/security/identity-protection
-          text: Learn more about identity protection >
-
-    - title: Application security
-      imageSrc: /media/common/i_queries.svg
-      links:
-        - url: /windows/security/application-security/application-control/windows-defender-application-control/
-          text: Windows Defender Application Control (WDAC)
+        - url: federated-sign-in.md
+          text: Configure federated sign-in for Windows devices
         - url: /windows/security/application-security/application-control/user-account-control
           text: User Account Control (UAC)
-        - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
-          text: Microsoft vulnerable driver blocklist
-        - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
-          text: Microsoft Defender Application Guard (MDAG)
-        - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
-          text: Windows Sandbox
-        - url: /windows/security/application-security
-          text: Learn more about application security >
-
-    - title: Security foundations
-      imageSrc: /media/common/i_build.svg
-      links:
-        - url: /windows/security/security-foundations/certification/fips-140-validation
-          text: FIPS 140-2 validation
-        - url: /windows/security/security-foundations/certification/windows-platform-common-criteria
-          text: Common Criteria Certifications
-        - url: /windows/security/security-foundations/msft-security-dev-lifecycle
-          text: Microsoft Security Development Lifecycle (SDL)
-        - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
-          text: Microsoft Windows Insider Preview bounty program
-        - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
-          text: OneFuzz service
-        - url: /windows/security/security-foundations
-          text: Learn more about security foundations >
-
-    - title: Cloud security
-      imageSrc: /media/common/i_cloud-security.svg
-      links:
         - url: /mem/intune/protect/security-baselines
           text: Security baselines with Intune
         - url: /windows/deployment/windows-autopatch
           text: Windows Autopatch
-        - url: /windows/deployment/windows-autopilot
-          text: Windows Autopilot
         - url: /universal-print
           text: Universal Print
-        - url: /windows/client-management/mdm/remotewipe-csp
-          text: Remote wipe
-        - url: /windows/security/cloud-security
-          text: Learn more about cloud security >
+        - url: /windows/security
+          text: Learn more about Windows security >
+
+    - title: Learn how to manage Windows devices
+      imageSrc: /media/common/i_management.svg
+      links:
+        - url: tutorial-school-deployment/manage-overview.md
+          text: Manage devices with Microsoft Intune
+        - url: tutorial-school-deployment/manage-surface-devices.md
+          text: Management functionalities for Surface devices
+        - url: /education/windows/get-minecraft-for-education
+          text: Get and deploy Minecraft Education
+        - url: /windows/client-management
+          text: Learn more about Windows management >
+
+    - title: Learn how to configure Windows
+      imageSrc: /media/common/i_config-tools.svg
+      links:
+        - url: /education/windows/tutorial-school-deployment/configure-devices-overview
+          text: Configure settings and applications with Microsoft Intune
+        - url: /windows/configuration/set-up-shared-or-guest-pc
+          text: Set up a shared or guest Windows device
+        - url: /education/windows/take-tests-in-windows
+          text: Take tests and assessments in Windows
+        - url: set-up-school-pcs-provisioning-package.md
+          text: Provisioning package settings
+        - url: https://www.youtube.com/watch?v=2ZLup_-PhkA
+          text: "Video: Use the Set up School PCs App"
 
 additionalContent:
   sections:
-    - title: More Windows resources
-      items:
+    - title: For developers # < 60 chars (optional)
+      summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. # < 160 chars (optional)
+    - items:
+        # Card
+        - title: UWP apps for education
+          summary: Learn how to write universal apps for education.
+          url: /windows/uwp/apps-for-education/
+        # Card
+        - title: Take a test API
+          summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
+          url: /windows/uwp/apps-for-education/take-a-test-api
 
-        - title: Windows Server
-          links:
-            - text: Windows Server documentation
-              url: /windows-server
-            - text: What's new in Windows Server 2022?
-              url: /windows-server/get-started/whats-new-in-windows-server-2022
-            - text: Windows Server blog
-              url: https://cloudblogs.microsoft.com/windowsserver/
+        - title: Office dev center
+          summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app.
+          url: https://developer.microsoft.com/office/
+
+        - title: Data Streamer
+          summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
+          url: /microsoft-365/education/data-streamer
+    - title: For partners # < 60 chars (optional)
+      summary: Looking for resources available to Microsoft Education partners? Start here. # < 160 chars (optional)
+    - items:
+
+        - title: Microsoft Partner Network
+          summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness.
+          url: https://partner.microsoft.com/explore/education
+
+        - title: Education Partner community Yammer group
+          summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
+          url: https://www.yammer.com/mepn/
 
         - title: Windows product site and blogs
           links:
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 98999d7cc0..27bffd9a4e 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -1,20 +1,20 @@
 ---
-title: Azure AD Join with Set up School PCs app
-description: Learn how Azure AD Join is configured in the Set up School PCs app.
+title: Microsoft Entra join with Set up School PCs app
+description: Learn how Microsoft Entra join is configured in the Set up School PCs app.
 ms.topic: reference
 ms.date: 08/10/2022
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---  
 
-# Azure AD Join for school PCs  
+# Microsoft Entra join for school PCs  
 
 > [!NOTE]
->   Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
+>   Set up School PCs app uses Microsoft Entra join to configure PCs. The app is helpful if you use the cloud based directory, Microsoft Entra ID. If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
 >   Designer](set-up-students-pcs-to-join-domain.md) to 
 >   join your PCs to your school's domain.
 
-Set up School PCs lets you create a provisioning package that automates Azure AD
+Set up School PCs lets you create a provisioning package that automates Microsoft Entra ID
 Join on your devices. This feature eliminates the need to manually:
 
 -   Connect to your school's network.
@@ -22,23 +22,25 @@ Join on your devices. This feature eliminates the need to manually:
 
 ## Automated connection to school domain  
 
-During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
+During initial device setup, Microsoft Entra join automatically connects your PCs to your school's Microsoft Entra domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
 
-Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps:
+Students who sign in to their PCs with their Microsoft Entra credentials get access to on-premises apps and the following cloud apps:
 * Office 365
 * OneDrive
 * OneNote
 
-## Enable Azure AD Join  
+<a name='enable-azure-ad-join'></a>
 
-Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package.   
+## Enable Microsoft Entra join  
+
+Learn how to enable Microsoft Entra join for your school. After you configure this setting, you'll be able to request an automated Microsoft Entra bulk token, which you need to create a provisioning package.   
 
 1. Sign in to the Azure portal with your organization's credentials. 
 2. Go to **Azure
 Active Directory** \> **Devices** \> **Device settings**.  
 3. Enable the setting
-for Azure AD by selecting **All** or **Selected**. If you choose the latter
-option, select the teachers and IT staff to allow them to connect to Azure AD.  
+for Microsoft Entra ID by selecting **All** or **Selected**. If you choose the latter
+option, select the teachers and IT staff to allow them to connect to Microsoft Entra ID.  
 
 ![Select the users you want to let join devices to Azure AD.](images/suspcs/suspc-enable-shared-pc-1807.png)  
 
@@ -50,28 +52,30 @@ The following table describes each setting within **Device Settings**.
 
 | Setting                                                    | Description                                                                                                                                                                                                                                                                                                            |
 |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Users may join devices to Azure AD                         | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. |  
-| More local administrators on Azure AD-joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
-| Users may register their devices with Azure AD             | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
-| Require Multi-Factor Authentication to join devices                  | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication.                                                                                                             |
-| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added.                                                                                                                               |
-| Users may sync settings and enterprise app data            | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow.                                                                                                                                                  |
+| Users may join devices to Microsoft Entra ID                         | Choose the scope of people in your organization that are allowed to join devices to Microsoft Entra ID. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Microsoft Entra ID. |  
+| More local administrators on Microsoft Entra joined devices | Only applicable to Microsoft Entra ID P1 or P2 tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
+| Users may register their devices with Microsoft Entra ID             | Allow all or none of your users to register their devices with Microsoft Entra ID (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
+| Require Multi-Factor Authentication to join devices                  | Recommended when adding devices to Microsoft Entra ID. When set to **Yes**, users that are setting up devices must enter a second method of authentication.                                                                                                             |
+| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Microsoft Entra ID. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added.                                                                                                                               |
+| Users may sync settings and enterprise app data            | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Microsoft Entra ID P1 or P2 are permitted to select specific users to allow.                                                                                                                                                  |
 
-## Clear Azure AD tokens  
+<a name='clear-azure-ad-tokens'></a>
 
-Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
+## Clear Microsoft Entra tokens  
+
+Your Intune tenant can only have 500 active Microsoft Entra tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
 
 To reduce your inventory, clear out all unnecessary and inactive tokens.
-1. Go to **Azure Active Directory** > **Users** > **All users**  
+1. Go to **Microsoft Entra ID** > **Users** > **All users**  
 2. In the **User Name** column, select and delete all accounts with a **package\ _**
 prefix. These accounts are created at a 1:1 ratio for every token and are safe
 to delete.   
 3. Select and delete inactive and expired user accounts. 
 
 ### How do I know if my package expired?
-Automated Azure AD tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.  
+Automated Microsoft Entra tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.  
 
-![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspcs/suspc-admin-token-delete-1807.png)  
+![Screenshot of the Azure portal, Microsoft Entra ID, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspcs/suspc-admin-token-delete-1807.png)  
 
 ## Next steps    
 Learn more about setting up devices with the Set up School PCs app.  
@@ -79,4 +83,4 @@ Learn more about setting up devices with the Set up School PCs app.
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
 
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
\ No newline at end of file
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index 12ea6880b4..0396303749 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -52,8 +52,8 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 
 | Policy name | Default value | Description |
 |--|--|--|
-| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. |
-| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
+| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Microsoft Entra ID. |
+| BPRT | User-defined | Value is set automatically when signed in to Microsoft Entra ID. Allows you to create the provisioning package. |
 | WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. |
 | Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. |
 | Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates |
@@ -125,7 +125,7 @@ Review the table below to estimate your expected provisioning time. A package th
 
 Learn more about setting up devices with the Set up School PCs app.
 
-- [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+- [Microsoft Entra join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 - [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 - [Set up Windows 10 devices for education](set-up-windows-10.md)
 
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index f888895674..8dd635d04e 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -11,11 +11,13 @@ appliesto:
 
 The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs.
 
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
-School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity.  
+If your school uses Microsoft Entra ID or Office 365, the Set up
+School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity.  
 
-## Join PC to Azure Active Directory
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
+<a name='join-pc-to-azure-active-directory'></a>
+
+## Join PC to Microsoft Entra ID
+If your school uses Microsoft Entra ID or Office 365, the Set up
 School PCs app creates a setup file that joins your PC to your Azure Active
 Directory tenant. 
 
@@ -24,7 +26,7 @@ The app also helps set up PCs for use with or without Internet connectivity.
 ## List of Set up School PCs features
 The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription.
 
-| Feature                                                                                                | No Internet | Azure AD | Office 365 | Azure AD Premium |
+| Feature                                                                                                | No Internet | Microsoft Entra ID | Office 365 | Microsoft Entra ID P1 or P2 |
 |--------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------|
 | **Fast sign-in**                                                                                       | X           | X        | X          | X                |
 | Students sign in and start using the computer in under a minute, even on initial sign-in.              |             |          |            |                  |
@@ -34,25 +36,25 @@ The following table describes the Set up School PCs app features and lists each
 | Set up computers for use by anyone with or without an account.                                         |             |          |            |                  |
 | **School policies**                                                                                    | X           | X        | X          | X                |
 | Settings create a relevant, useful learning environment and optimal computer performance.              |             |          |            |                  |
-| **Azure AD Join**                                                                                      |             | X        | X          | X                |
-| Computers join with your existing Azure AD or Office 365 subscription for centralized management.      |             |          |            |                  |
+| **Microsoft Entra join**                                                                                      |             | X        | X          | X                |
+| Computers join with your existing Microsoft Entra ID or Office 365 subscription for centralized management.      |             |          |            |                  |
 | **Single sign-on to Office 365**                                                                       |             |          | X          | X                |
 | Students sign in with their IDs to access all Office 365 web apps or installed Office apps.            |             |          |            |                  |
 | **Take a Test app**                                                                                    |             |          |            | X                |
 | Administer quizzes and assessments through test providers such as Smarter Balanced.                    |             |          |            |                  |
-| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Azure AD** |             |          |            | X                |
+| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Microsoft Entra ID** |             |          |            | X                |
 | Synchronize student and application data across devices for a personalized experience.                 |             |          |            |                  |
 
 > [!NOTE]
 >   If your school uses Active Directory, use [Windows Configuration
 >   Designer](set-up-students-pcs-to-join-domain.md) 
 >   to configure your PCs to join the domain. You can only use the Set up School
->   PCs app to set up PCs that are connected to Azure AD.
+>   PCs app to set up PCs that are connected to Microsoft Entra ID.
 
 ## Next steps  
 Learn more about setting up devices with the Set up School PCs app.  
-* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Microsoft Entra join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 * [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
 
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
\ No newline at end of file
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index cf16da56b2..669dc2484c 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -16,7 +16,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
 
 - If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
 
-- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
+- If you want to provision a school PC to join Microsoft Entra ID, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
 
 ## Learn more
 
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index 1193a202d9..784d5978ac 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -14,7 +14,7 @@ You have two tools to choose from to set up PCs for your classroom:
 - Set up School PCs 
 - Windows Configuration Designer
 
-Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
+Choose the tool that is appropriate for how your students will sign in (Active Directory, Microsoft Entra ID, or no account).
 
 You can use the following diagram to compare the tools.
 
@@ -30,4 +30,4 @@ You can use the following diagram to compare the tools.
 ## Related topics
 
 [Take tests in Windows](take-tests-in-windows.md)
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S
\ No newline at end of file
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S
diff --git a/education/windows/toc.yml b/education/windows/toc.yml
index d12a3eb854..708fd96a30 100644
--- a/education/windows/toc.yml
+++ b/education/windows/toc.yml
@@ -46,7 +46,7 @@ items:
       items:
       - name: Configure federated sign-in
         href: federated-sign-in.md
-      - name: Configure federation between Google Workspace and Azure AD
+      - name: Configure federation between Google Workspace and Microsoft Entra ID
         href: configure-aad-google-trust.md
     - name: Configure Shared PC
       href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
@@ -74,7 +74,7 @@ items:
         items: 
           - name: Overview
             href: set-up-windows-10.md
-          - name: Azure AD join for school PCs
+          - name: Microsoft Entra join for school PCs
             href: set-up-school-pcs-azure-ad-join.md
           - name: Active Directory join for school PCs
             href: set-up-students-pcs-to-join-domain.md
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
index 075d9fe6d3..667695adba 100644
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 # Configure settings and applications with Microsoft Intune
 
 Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
-Microsoft Intune uses Azure AD groups to assign policies and applications to devices.
+Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
 With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
 
 In this section you will:
@@ -55,4 +55,4 @@ With the groups created, you can configure policies and applications to deploy t
 
 [EDU-1]: /intune-education/create-groups
 [EDU-2]: /intune-education/edit-groups-intune-for-edu
-[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
\ No newline at end of file
+[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md
index 1dc7d9beeb..9cb7370124 100644
--- a/education/windows/tutorial-school-deployment/enroll-aadj.md
+++ b/education/windows/tutorial-school-deployment/enroll-aadj.md
@@ -1,20 +1,20 @@
 ---
 title: Enrollment in Intune with standard out-of-box experience (OOBE)
-description: Learn how to join devices to Azure AD from OOBE and automatically get them enrolled in Intune.
+description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
 ms.date: 08/31/2022
 ms.topic: tutorial
 ---
-# Automatic Intune enrollment via Azure AD join
+# Automatic Intune enrollment via Microsoft Entra join
 
-If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune.
+If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
 With this process, no advance preparation is needed:
 
 1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
 1. Wait for updates. If any updates are available, they'll be installed at this time
   :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
-1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account
+1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account
   :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
-1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device
+1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device
 
 > [!IMPORTANT]
 > If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
@@ -24,7 +24,7 @@ With this process, no advance preparation is needed:
 ________________________________________________________
 ## Next steps
 
-With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 
 > [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
\ No newline at end of file
+> [Next: Manage devices >](manage-overview.md)
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index e8070b995b..26300b5115 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -1,6 +1,6 @@
 ---
 title: Enrollment in Intune with Windows Autopilot
-description: Learn how to join Azure AD and enroll in Intune using Windows Autopilot.
+description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
 ms.date: 03/08/2023
 ms.topic: tutorial
 ---
@@ -61,8 +61,8 @@ More advanced dynamic membership rules can be created from Microsoft Intune admi
 
 For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
 A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
-1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE
-1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
+1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
+1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
 
 To create an Autopilot deployment profile:
 
@@ -109,8 +109,8 @@ When a Windows device is turned on for the first time, the end-user experience w
 1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
 1. Apply updates: the device will look for and apply required updates
 1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
-1. The user authenticates to Azure AD, using the school account
-1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured
+1. The user authenticates to Microsoft Entra ID, using the school account
+1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured
 
 > [!NOTE]
 > Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
@@ -120,7 +120,7 @@ When a Windows device is turned on for the first time, the end-user experience w
 ________________________________________________________
 ## Next steps
 
-With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
@@ -146,4 +146,4 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 [EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
 [EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
 
-[SURF-1]: /surface/surface-autopilot-registration-support
\ No newline at end of file
+[SURF-1]: /surface/surface-autopilot-registration-support
diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md
index 6537b7ea3a..fa0b05840b 100644
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@@ -7,10 +7,10 @@ ms.topic: overview
 
 # Device enrollment overview
 
-There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune:
+There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune:
 
-- **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
-- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
+- **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
+- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
 - **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
 
 ## Choose the enrollment method
@@ -22,7 +22,7 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
 
 Select one of the following options to learn the next steps about the enrollment method you chose:
 > [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Azure AD join](enroll-aadj.md)
+> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md)
 > - [Bulk enrollment with provisioning packages](enroll-package.md)
 > - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
 
diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md
index e73ef21957..0223d55bd5 100644
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@@ -17,7 +17,7 @@ You can create provisioning packages using either **Set Up School PCs** or **Win
 
 ## Set up School PCs
 
-With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process.
+With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process.
 
 ### Create a provisioning package
 
@@ -44,7 +44,7 @@ For more information, see [Install Windows Configuration Designer][WIN-1], which
 
 ## Enroll devices with the provisioning package
 
-To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune.
+To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune.
 All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
 
 :::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
@@ -52,7 +52,7 @@ All settings defined in the package and in Intune will be applied to the device,
 ________________________________________________________
 ## Next steps
 
-With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
@@ -61,4 +61,4 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 
 [EDU-1]: /education/windows/use-set-up-school-pcs-app
 
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
\ No newline at end of file
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index 89577e6e9f..a5a1998f71 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -46,7 +46,7 @@ From enrollment, through configuration and protection, to resetting, Intune for
 
 :::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
 
-- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
+- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
 - **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
 - **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
 - **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
@@ -55,7 +55,7 @@ From enrollment, through configuration and protection, to resetting, Intune for
 
 In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
 
-- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication
+- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication
 - **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
 - **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
 - **Device reset:** Resetting managed devices with Intune for Education
@@ -63,10 +63,10 @@ In the remainder of this document, we'll discuss the key concepts and benefits o
 ________________________________________________________
 ## Next steps
 
-Let's begin with the creation and configuration of your Azure AD tenant and Intune environment.
+Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
 
 > [!div class="nextstepaction"]
-> [Next: Set up Azure Active Directory >](set-up-azure-ad.md)
+> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md)
 
 <!-- Reference links in article -->
 
@@ -76,4 +76,4 @@ Let's begin with the creation and configuration of your Azure AD tenant and Intu
 [MEM-4]: /mem/autopilot/windows-autopilot
 [MEM-5]: /mem/autopilot/dfci-management
 
-[INT-1]: /intune-education/what-is-intune-for-education
\ No newline at end of file
+[INT-1]: /intune-education/what-is-intune-for-education
diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md
index 488d2513f1..1d0edf123a 100644
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@@ -86,7 +86,7 @@ There are scenarios that require a device to be deleted from your tenant, for ex
 
 1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
 1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
-1. Delete the device from Azure Active Directory using [these steps][MEM-3]
+1. Delete the device from Microsoft Entra ID using [these steps][MEM-3]
 
 ## Autopilot considerations for a motherboard replacement scenario
 
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
index 6aaea36211..cbfcfae2b5 100644
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@@ -1,16 +1,16 @@
 ---
-title: Set up Azure Active Directory
-description: Learn how to create and prepare your Azure AD tenant for an education environment.
+title: Set up Microsoft Entra ID
+description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
 ---
 
-# Set up Azure Active Directory
+# Set up Microsoft Entra ID
 
 The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
 
-Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
+Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
 
 In this section you will:
 > [!div class="checklist"]
@@ -31,7 +31,7 @@ For more information, see [Create your Office 365 tenant account][M365-1]
 
 The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
 
-From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Intune, Intune for Education, and others:
+From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others:
 
 :::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
 
@@ -45,7 +45,7 @@ For more information, see [Overview of the Microsoft 365 admin center][M365-2].
 With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
 
 > [!NOTE]
-> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [<u>Azure Active Directory sync</u>](#azure-active-directory-sync) below.
+> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [<u>Azure Active Directory Sync</u>](#azure-active-directory-sync) below.
 
 ### School Data Sync
 
@@ -61,9 +61,9 @@ For more information, see [Overview of School Data Sync][SDS-1].
 >
 > Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
 
-### Azure Active Directory sync
+### Azure Active Directory Sync
 
-To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including:
+To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
 
 - [Password hash synchronization][AAD-1]
 - [Pass-through authentication][AAD-2]
@@ -79,11 +79,11 @@ There are two options for adding users manually, either individually or in bulk:
 
 1. To add students and teachers as users in Microsoft 365 Education *individually*:
     - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user**
+    - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user**
     For more information, see [Add users and assign licenses at the same time][M365-3].
 1. To add *multiple* users to Microsoft 365 Education:
     - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create**
+    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
 
 For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
 ### Create groups
@@ -91,7 +91,7 @@ For more information, see [Add multiple users in the Microsoft 365 admin center]
 Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**
+1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group**
 1. On the **New group** page, select **Group type** > **Security**
 1. Provide a group name and add members, as needed
 1. Select **Next**
@@ -100,18 +100,18 @@ For more information, see [Create a group in the Microsoft 365 admin center][M36
 
 ### Assign licenses
 
-The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
+The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
 
 To assign a license to a group:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses**
+1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses**
 1. Select the required products that you want to assign licenses for > **Assign**
 1. Add the groups to which the licenses should be assigned
 
    :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
 
-For more information, see [Group-based licensing using Azure AD admin center][AAD-4].
+For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4].
 
 ## Configure school branding
 
@@ -120,26 +120,26 @@ Configuring your school branding enables a more familiar Autopilot experience to
 To configure your school's branding:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding**
+1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding**
 1. You can specify brand settings like background image, logo, username hint and a sign-in page text
-    :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
-1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties**
+    :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
+1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties**
 1. In the **Name** field, enter the school district or organization's name > **Save**
-    :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
+    :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
 
 For more information, see [Add branding to your directory][AAD-5].
 
 ## Enable bulk enrollment
 
-If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant.
+If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant.
 
-To allow provisioning packages to complete the Azure AD Join process:
+To allow provisioning packages to complete the Microsoft Entra join process:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Devices** > **Device Settings**
-1. Under **Users may join devices to Azure AD**, select **All**
+1. Select **Microsoft Entra ID** > **Devices** > **Device Settings**
+1. Under **Users may join devices to Microsoft Entra ID**, select **All**
     > [!NOTE]
-    > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
+    > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
 1. Select Save
     :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
 
diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml
index 294e70dc20..a332eb8656 100644
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ b/education/windows/tutorial-school-deployment/toc.yml
@@ -3,7 +3,7 @@ items:
     href: index.md
   - name: 1. Prepare your tenant
     items:
-      - name: Set up Azure Active Directory
+      - name: Set up Microsoft Entra ID
         href: set-up-azure-ad.md
       - name: Set up Microsoft Intune
         href: set-up-microsoft-intune.md
@@ -19,7 +19,7 @@ items:
     items: 
       - name: Overview
         href: enroll-overview.md
-      - name: Enroll devices via Azure AD join
+      - name: Enroll devices via Microsoft Entra join
         href: enroll-aadj.md
       - name: Enroll devices with provisioning packages
         href: enroll-package.md
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 301a6d1da2..f9a55de678 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -11,7 +11,7 @@ appliesto:
 IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM.   
 
 Set up School PCs also:  
-* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.  
+* Joins each student PC to your organization's Office 365 and Microsoft Entra tenant.  
 * Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.  
 * Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
 * Locks down the student PC to prevent activity that isn't beneficial to their education.  
@@ -21,7 +21,7 @@ This article describes how to fill out your school's information in the Set up S
 ## Requirements    
 Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
 
-* Office 365 and Azure Active Directory
+* Office 365 and Microsoft Entra ID
 * [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)  
 * A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
 * Student PCs must either: 
@@ -99,7 +99,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 Type a unique name to help distinguish your school's provisioning packages. The name appears:  
 
 * On the local package folder  
-* In your tenant's Azure AD account in the Azure portal  
+* In your tenant's Microsoft Entra account in the Azure portal  
 
 A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package.  
 
@@ -107,13 +107,13 @@ A package expiration date is also attached to the end of each package. For examp
 
 After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.  
 
-To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Azure AD. If you have Global Admin permissions, you can go to Azure AD in the Azure portal, and rename the package there.  
+To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.  
 
 
 ### Sign in  
 
 1. Select how you want to sign in.  
-    a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
+    a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
     b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).  
 2. In the new window, select the account you want to use throughout setup.  
 
@@ -170,7 +170,7 @@ The following table describes each setting and lists the applicable Windows 10 v
 |Allow local storage (not recommended for shared devices)    |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be shared between different students.|
 |Optimize device for a single student, instead of a shared cart or lab    |X|X|X|X|Optimizes the device for use by a single student, rather than many students.       |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
 |Let guests sign in to these PCs     |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
 |Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|   
 
 After you've made your selections, click **Next**.
@@ -276,8 +276,6 @@ When used in context of the Set up School PCs app, the word *package* refers to
 
      ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)  
 
-4. If you didn't set up the package with Azure AD Join, continue the Windows device setup experience.  If you did configure the package with Azure AD Join, the computer is ready for use and no further configurations are required.  
+4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience.  If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required.  
 
       If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
-
-
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index e484296ed5..85683ac20e 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -86,10 +86,13 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Absolute Software Endpoint Agent`        | 7.20.0.1          | `Win32`    | `Absolute Software Corporation`           |
 | `AirSecure`                               | 8.0.0             | `Win32`    | `AIR`                                     |
 | `Alertus Desktop`                         | 5.4.48.0          | `Win32`    | `Alertus technologies`                    |
+| `AristotleK12 Borderless Classroom `      | 3.0.11.           | `Win32`    | `Sergeant Laboratories`                   |
+| `AristotleK12 Analytics `                 | 10.0.6            | `Win32`    | `Sergeant Laboratories`                   |
+| `AristotleK12 Network filter`             | 3.1.10            | `Win32`    | `Sergeant Laboratories`                   |
 | `Brave Browser`                           | 106.0.5249.119    | `Win32`    | `Brave`                                   |
 | `Bulb Digital Portfolio`                  | 0.0.7.0           | `Store`  | `Bulb`                                    |
-| `CA Secure Browser`                       | 14.0.0            | `Win32`    | `Cambium Development`                     |
-| `Cisco Umbrella`                          | 3.0.343.0         | `Win32`    | `Cisco`                                   |
+| `CA Secure Browser`                       | 15.0.0            | `Win32`    | `Cambium Development`                     |
+| `Cisco Umbrella`                          | 3.0.466.0         | `Win32`    | `Cisco`                                   |
 | `CKAuthenticator`                         | 3.6+              | `Win32`    | `ContentKeeper`                           |
 | `Class Policy`                            | 116.0.0           | `Win32`    | `Class Policy`                            |
 | `Classroom.cloud`                         | 1.40.0004         | `Win32`    | `NetSupport`                              |
@@ -97,7 +100,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `CoGat Secure Browser`                    | 11.0.0.19         | `Win32`    | `Riverside Insights`                      |
 | `ColorVeil`                               | 4.0.0.175         | `Win32`    | `East-Tec`                                | 
 | `ContentKeeper Cloud`                     | 9.01.45           | `Win32`    | `ContentKeeper Technologies`              |
-| `DigiExam`                                | 14.0.6            | `Win32`    | `Digiexam`                                |
+| `DigiExam`                                | 14.1.0            | `Win32`    | `Digiexam`                                |
+| `Digital Secure testing browser`          | 15.0.0            | `Win32`    | `Digiexam`                                |
 | `Dragon Professional Individual`          | 15.00.100         | `Win32`    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 13.0.0.0          | `Store`  | `Data recognition Corporation`            |
 | `Duo from Cisco`                          | 3.0.0             | `Win32`    | `Cisco`                                   |
@@ -106,6 +110,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `EasyReader`                              | 10.0.4.498        | `Win32`    | `Dolphin Computer Access`                 |
 | `Easysense 2`                             | 1.32.0001         | `Win32`    | `Data Harvest`                            |
 | `Epson iProjection`                       | 3.31              | `Win32`    | `Epson`                                   |
+| `ESET Endpoint Security`                  | 10.1.2046.0       | `Win32`    | `ESET`                                    |
+| `ESET Remote Administrator Agent`         | 10.0.1126.0       | `Win32`    | `ESET`                                    |
 | `eTests`                                  | 4.0.25            | `Win32`    | `CASAS`                                   |
 | `Exam Writepad`                           | 23.2.4.2338       | `Win32`    | `Sheldnet`                                |
 | `FirstVoices Keyboard`                    | 15.0.270          | `Win32`    | `SIL International`                       |
@@ -117,22 +123,26 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `GuideConnect`                            | 1.24              | `Win32`    | `Dolphin Computer Access`                 |
 | `Illuminate Lockdown Browser`             | 2.0.5             | `Win32`    | `Illuminate Education`                    |
 | `Immunet`                                 | 7.5.8.21178       | `Win32`    | `Immunet`                                 |
-| `Impero Backdrop Client`                  | 5.0.87            | `Win32`    | `Impero Software`                         |
+| `Impero Backdrop Client`                  | 5.0.151           | `Win32`    | `Impero Software`                         |
 | `IMT Lazarus`                             | 2.86.0            | `Win32`    | `IMTLazarus`                              |
 | `Inspiration 10`                          | 10.11             | `Win32`    | `TechEdology Ltd`                         |
 | `JAWS for Windows`                        | 2022.2112.24      | `Win32`    | `Freedom Scientific`                      |
 | `Kite Student Portal`                     | 9.0.0.0           | `Win32`    | `Dynamic Learning Maps`                   |
-| `Keyman`                                  | 16.0.138          | `Win32`    | `SIL International`                       |
+| `Keyman`                                  | 16.0.141          | `Win32`    | `SIL International`                       |
 | `Kortext`                                 | 2.3.433.0         | `Store`  | `Kortext`                                 |
 | `Kurzweil 3000 Assistive Learning`        | 20.13.0000        | `Win32`    | `Kurzweil Educational Systems`            |
 | `LanSchool Classic`                       | 9.1.0.46          | `Win32`    | `Stoneware, Inc.`                         |
 | `LanSchool Air`                           | 2.0.13312         | `Win32`    | `Stoneware, Inc.`                         |
+| `Lexibar`                                 | 3.07.02           | `Win32`    | `Lexibar`                                 |
+| `LGfL HomeProtect`                        | 8.3.44.11         | `Win32`    | `LGFL`                                    |
 | `Lightspeed Smart Agent`                  | 1.9.1             | `Win32`    | `Lightspeed Systems`                      |
 | `Lightspeed Filter Agent`                 | 2.3.4             | `Win32`    | `Lightspeed Systems`                      |
-| `MetaMoJi ClassRoom`                      | 3.12.4.0          | `Store`  | `MetaMoJi Corporation`                    |
-| `Microsoft Connect`                       | 10.0.22000.1      | `Store`  | `Microsoft`                               |
-| `Mozilla Firefox`                         | 105.0.0           | `Win32`    | `Mozilla`                                 |
-| `Mobile Plans`                            | 5.1911.3171.0     | `Store`  | `Microsoft Corporation`                   |
+| `Lightspeed Digital`                      | 3.12.3.11         | `Win32`    | `Lightspeed Systems`                      |
+| `MetaMoJi ClassRoom`                      | 3.12.4.0          | `Store`    | `MetaMoJi Corporation`                    |
+| `Microsoft Connect`                       | 10.0.22000.1      | `Store`    | `Microsoft`                               |
+| `Mozilla Firefox`                         | 116.0.2           | `Win32`    | `Mozilla`                                 |
+| `Mobile Plans`                            | 5.1911.3171.0     | `Store`    | `Microsoft Corporation`                   |
+| `Musescore`                               | 4.1.1.232071203   | `Win32`    | `Musescore`                               |
 | `NAPLAN`                                  | 5.2.2             | `Win32`    | `NAP`                                     |
 | `Netref Student`                          | 23.1.0            | `Win32`    | `NetRef`                                  |
 | `NetSupport DNA`                          | 4.80.0000         | `Win32`    | `NetSupport`                              |
@@ -140,21 +150,23 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `NetSupport Notify`                       | 5.10.1.223        | `Win32`    | `NetSupport`                              |
 | `NetSupport School`                       | 14.00.0012        | `Win32`    | `NetSupport`                              |
 | `NextUp Talker`                           | 1.0.49            | `Win32`    | `NextUp Technologies`                     |
-| `NonVisual Desktop Access`                | 2021.3.1          | `Win32`    | `NV Access`                               |
+| `Netsweeper Workstation Agent`            | 4.50.54.54        | `Win32`    | `Netsweeper`                              |
+| `NonVisual Desktop Access`                | 2023.1.           | `Win32`    | `NV Access`                               |
 | `NWEA Secure Testing Browser`             | 5.4.387.0         | `Win32`    | `NWEA`                                    |
 | `PC Talker Neo`                           | 2209              | `Win32`    | `Kochi System Development`                |
 | `PC Talker Neo Plus`                      | 2209              | `Win32`    | `Kochi System Development`                |
 | `PaperCut`                                | 22.0.6            | `Win32`    | `PaperCut Software International Pty Ltd` |
-| `Pearson TestNav`                         | 1.11.3            | `Store`  | `Pearson`                                 |
-| `Project Monarch Outlook`                 | 1.2022.2250001    | `Store`  | `Microsoft`                               |
+| `Pearson TestNav`                         | 1.11.3            | `Store`    | `Pearson`                                 |
+| `Project Monarch Outlook`                 | 1.2023.831.400    | `Store`    | `Microsoft`                               |
 | `Questar Secure Browser`                  | 5.0.1.456         | `Win32`    | `Questar, Inc`                            |
-| `ReadAndWriteForWindows`                  | 12.0.74           | `Win32`    | `Texthelp Ltd.`                           |
-| `Remote Desktop client (MSRDC)`           | 1.2.4240.0        | `Win32`    | `Microsoft`                               |
+| `ReadAndWriteForWindows`                  | 12.0.78           | `Win32`    | `Texthelp Ltd.`                           |
+| `Remote Desktop client (MSRDC)`           | 1.2.4487.0        | `Win32`    | `Microsoft`                               |
 | `Remote Help`                             | 4.0.1.13          | `Win32`    | `Microsoft`                               |
 | `Respondus Lockdown Browser`              | 2.0.9.03          | `Win32`    | `Respondus`                               |
 | `Safe Exam Browser`                       | 3.5.0.544         | `Win32`    | `Safe Exam Browser`                       |
-|`SchoolYear`                               | 3.4.21             | `Win32`    |`SchoolYear`                              |
+|`SchoolYear`                               | 3.5.4             | `Win32`    |`SchoolYear`                              |
 |`School Manager`                           | 3.6.8.1109        | `Win32`    |`School Manager`                           |
+|`Scratch`                                  | 3.0               | `Win32`    |`MIT`                                      |
 | `Senso.Cloud`                             | 2021.11.15.0      | `Win32`    | `Senso.Cloud`                             |
 | `Skoolnext`                               | 2.19              | `Win32`    | `Skool.net`                               |
 | `Smoothwall Monitor`                      | 2.9.2             | `Win32`    | `Smoothwall Ltd`                          |
@@ -162,11 +174,14 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `SuperNova Magnifier & Speech`            | 21.03             | `Win32`    | `Dolphin Computer Access`                 |
 |`TX Secure Browser`                        | 15.0.0            | `Win32`    | `Cambium Development`                     |
 | `VitalSourceBookShelf`                    | 10.2.26.0         | `Win32`    | `VitalSource Technologies Inc`            |
+|`WA Secure Browser`                        | 16.0.0            | `Win32`    | `Cambium Development`                     |
 | `Winbird`                                 | 19                | `Win32`    | `Winbird Co., Ltd.`                       |
 | `WordQ`                                   | 5.4.29            | `Win32`    | `WordQ`                                   |
+| `Windows SEB`                             | 3.4.0             | `Win32`    | `Illinois Stateboard of Education`        |
+| `Windows Notepad`                         | 12.0.78           | `Store`    | `Microsoft Corporation`                   |
 | `Zoom`                                    | 5.12.8 (10232)    | `Win32`    | `Zoom`                                    |
-| `ZoomText Fusion`                         | 2023.2303.77.400  | `Win32`    | `Freedom Scientific`                      |
-| `ZoomText Magnifier/Reader`               | 2023.2303.33.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Fusion`                         | 2023.2307.7.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Magnifier/Reader`               | 2023.2307.29.400  | `Win32`    | `Freedom Scientific`                      |
 
 ## Add your own applications
 
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 6536c45279..bea07c4d0b 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -50,7 +50,7 @@ The following settings can't be changed.
 | Visible Folders in File Explorer | By default, the Desktop, Downloads, Documents, and Pictures folders are visible to users in File Explorer. Users can make other folders, like **This PC**, visible in **View** > **Options**. |
 | Launch Windows Maximized  | All Windows are opened in the maximized view.  |
 | Windows Snapping  | Windows snapping is limited to two Windows.  |
-| Allowed Account Types  | Microsoft accounts and Azure AD accounts are allowed. |
+| Allowed Account Types  | Microsoft accounts and Microsoft Entra accounts are allowed. |
 | Virtual Desktops  | Virtual Desktops are blocked. |
 | Microsoft Store  | The Microsoft Store is blocked. |
 | Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Intune can run. |
diff --git a/includes/configure/provisioning-package-1.md b/includes/configure/provisioning-package-1.md
new file mode 100644
index 0000000000..951ca428e3
--- /dev/null
+++ b/includes/configure/provisioning-package-1.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Use the following settings to [create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package):
diff --git a/includes/configure/provisioning-package-2.md b/includes/configure/provisioning-package-2.md
new file mode 100644
index 0000000000..b600e58e47
--- /dev/null
+++ b/includes/configure/provisioning-package-2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+[Apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to the devices that you want to configure.
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index d64cd242d4..e68a87a3a6 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/09/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,79 +9,83 @@ ms.topic: include
 |:---|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
-|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
+|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
-|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
-|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
-|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
-|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
-|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
-|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
-|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
+|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|❌|Yes|
+|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
 |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
-|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
-|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
-|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|
+|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|
 |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|
-|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
+|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
 |**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|
-|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
 |**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
+|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
-|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
 |**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
 |**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
-|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
+|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
 |**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
 |**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|
-|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
+|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
 |**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
-|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
+|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
-|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
-|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
+|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
 |**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index d9d793ad2b..780ba51ff0 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/09/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,79 +9,83 @@ ms.topic: include
 |:---|:---:|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
-|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
+|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
-|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
-|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
-|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
-|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
-|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
+|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
 |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
-|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
-|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
-|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|Yes|
+|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌|
+|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
 |**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
-|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
+|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
-|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
 |**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
 |**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes|
-|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
+|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
-|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/access-control-aclsacl.md b/includes/licensing/access-control-aclsacl.md
index 8adad0309e..7914dd8fd5 100644
--- a/includes/licensing/access-control-aclsacl.md
+++ b/includes/licensing/access-control-aclsacl.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md
index 1e7a0d8661..3ca26ae6ea 100644
--- a/includes/licensing/account-lockout-policy.md
+++ b/includes/licensing/account-lockout-policy.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
new file mode 100644
index 0000000000..c8c1eacf14
--- /dev/null
+++ b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md
index 08d98ed800..c02b90d456 100644
--- a/includes/licensing/always-on-vpn-device-tunnel.md
+++ b/includes/licensing/always-on-vpn-device-tunnel.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/app-containers.md b/includes/licensing/app-containers.md
index 0d698a7bfb..8777c075d8 100644
--- a/includes/licensing/app-containers.md
+++ b/includes/licensing/app-containers.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/applocker.md b/includes/licensing/applocker.md
index 54cc165d41..26e08b6b83 100644
--- a/includes/licensing/applocker.md
+++ b/includes/licensing/applocker.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md
index 066c7badc4..f14704f482 100644
--- a/includes/licensing/assigned-access-kiosk-mode.md
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md
index 7d481ce4bf..3f2b9094aa 100644
--- a/includes/licensing/attack-surface-reduction-asr.md
+++ b/includes/licensing/attack-surface-reduction-asr.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/azure-code-signing.md b/includes/licensing/azure-code-signing.md
index dc29a35e27..ace7222901 100644
--- a/includes/licensing/azure-code-signing.md
+++ b/includes/licensing/azure-code-signing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bitlocker-enablement.md b/includes/licensing/bitlocker-enablement.md
index 56f85845aa..42fdd23a24 100644
--- a/includes/licensing/bitlocker-enablement.md
+++ b/includes/licensing/bitlocker-enablement.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md
index a0c68f72ee..c9c3827684 100644
--- a/includes/licensing/bitlocker-management.md
+++ b/includes/licensing/bitlocker-management.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md
index 171fe3f9b2..62054635e0 100644
--- a/includes/licensing/bluetooth-pairing-and-connection-protection.md
+++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md
index 528a497f37..1eef471e1f 100644
--- a/includes/licensing/common-criteria-certifications.md
+++ b/includes/licensing/common-criteria-certifications.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md
index 25d04b1c49..653c17f98a 100644
--- a/includes/licensing/controlled-folder-access.md
+++ b/includes/licensing/controlled-folder-access.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/credential-guard.md b/includes/licensing/credential-guard.md
index b5eea7128d..43c956dd67 100644
--- a/includes/licensing/credential-guard.md
+++ b/includes/licensing/credential-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md
index 7ed2add45f..8262e8af6c 100644
--- a/includes/licensing/device-health-attestation-service.md
+++ b/includes/licensing/device-health-attestation-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md
index 057c5a2cea..7ff5d0349a 100644
--- a/includes/licensing/direct-access.md
+++ b/includes/licensing/direct-access.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/fast-identity-online-fido2-security-key.md b/includes/licensing/domain-name-system-dns-security.md
similarity index 70%
rename from includes/licensing/fast-identity-online-fido2-security-key.md
rename to includes/licensing/domain-name-system-dns-security.md
index 9985309552..6c201664a7 100644
--- a/includes/licensing/fast-identity-online-fido2-security-key.md
+++ b/includes/licensing/domain-name-system-dns-security.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
+The following table lists the Windows editions that support Domain Name System (DNS) security:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
+Domain Name System (DNS) security license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md
index 6895c5b618..0b6eba0e94 100644
--- a/includes/licensing/email-encryption-smime.md
+++ b/includes/licensing/email-encryption-smime.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md
index 16225d6ee6..250860e3d7 100644
--- a/includes/licensing/encrypted-hard-drive.md
+++ b/includes/licensing/encrypted-hard-drive.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
index ae4cd8568a..f3e9d9e7eb 100644
--- a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
+++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md
index 7a46f2cc0a..e3cc381820 100644
--- a/includes/licensing/exploit-protection.md
+++ b/includes/licensing/exploit-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
index a06133b313..255e023c53 100644
--- a/includes/licensing/federal-information-processing-standard-fips-140-validation.md
+++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
index 0d01c1968f..701d2a3bde 100644
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -17,6 +17,6 @@ Federated sign-in license entitlements are granted by the following licenses:
 
 |Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
-|Yes|No|No|Yes|Yes|
+|Yes|Yes|Yes|No|No|
 
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/access-control-aclsscals.md b/includes/licensing/fido2-security-key.md
similarity index 72%
rename from includes/licensing/access-control-aclsscals.md
rename to includes/licensing/fido2-security-key.md
index 9d8830c6cd..a75a664ba2 100644
--- a/includes/licensing/access-control-aclsscals.md
+++ b/includes/licensing/fido2-security-key.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Access Control (ACLs/SCALS):
+The following table lists the Windows editions that support FIDO2 security key:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Access Control (ACLs/SCALS) license entitlements are granted by the following licenses:
+FIDO2 security key license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md
index 8a2fe75e78..015c2029c7 100644
--- a/includes/licensing/hardware-enforced-stack-protection.md
+++ b/includes/licensing/hardware-enforced-stack-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
index a6800d9403..6ec3e17ec0 100644
--- a/includes/licensing/hypervisor-protected-code-integrity-hvci.md
+++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md
index 52b159827e..b6a67f8b82 100644
--- a/includes/licensing/kernel-direct-memory-access-dma-protection.md
+++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md
index fafa59de66..9fb5ffeb78 100644
--- a/includes/licensing/local-security-authority-lsa-protection.md
+++ b/includes/licensing/local-security-authority-lsa-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md
index 407e64eefe..6d62dc4f3e 100644
--- a/includes/licensing/measured-boot.md
+++ b/includes/licensing/measured-boot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md
index 357e6daa39..bfa1a523e4 100644
--- a/includes/licensing/microsoft-defender-antivirus.md
+++ b/includes/licensing/microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
index bd87e59e22..8b1f61512a 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
index 8e546d7248..92bde833e7 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
index 5d3024ffc9..40bd08c713 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
index 6284c03484..a808fad367 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
index de70847881..1451e70955 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md
index 56edc6e24e..3c405e4747 100644
--- a/includes/licensing/microsoft-defender-for-endpoint.md
+++ b/includes/licensing/microsoft-defender-for-endpoint.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md
index d5b7aae9bd..4f8c6afb14 100644
--- a/includes/licensing/microsoft-defender-smartscreen.md
+++ b/includes/licensing/microsoft-defender-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-pluton.md b/includes/licensing/microsoft-pluton.md
index 31058f139d..6d127fec25 100644
--- a/includes/licensing/microsoft-pluton.md
+++ b/includes/licensing/microsoft-pluton.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-security-development-lifecycle-sdl.md b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
index 7b9411b126..c772ef45b4 100644
--- a/includes/licensing/microsoft-security-development-lifecycle-sdl.md
+++ b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
index 449ac22b52..58866a171a 100644
--- a/includes/licensing/microsoft-vulnerable-driver-blocklist.md
+++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
index c3cd9dbaf1..fe6aa10f30 100644
--- a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
+++ b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/modern-device-management-through-mdm.md b/includes/licensing/modern-device-management-through-mdm.md
index f2a71b791d..07bac3574c 100644
--- a/includes/licensing/modern-device-management-through-mdm.md
+++ b/includes/licensing/modern-device-management-through-mdm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/onefuzz-service.md b/includes/licensing/onefuzz-service.md
index 25e6a5ef43..d58b1b1f23 100644
--- a/includes/licensing/onefuzz-service.md
+++ b/includes/licensing/onefuzz-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md
index 4629b28a5f..2954ec4c83 100644
--- a/includes/licensing/opportunistic-wireless-encryption-owe.md
+++ b/includes/licensing/opportunistic-wireless-encryption-owe.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/passkeys.md b/includes/licensing/passkeys.md
new file mode 100644
index 0000000000..dae8584454
--- /dev/null
+++ b/includes/licensing/passkeys.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support passkeys:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Passkeys license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md
index ed0e014d0e..ff1909674e 100644
--- a/includes/licensing/personal-data-encryption-pde.md
+++ b/includes/licensing/personal-data-encryption-pde.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md
index 080229688a..656e7d6bde 100644
--- a/includes/licensing/privacy-resource-usage.md
+++ b/includes/licensing/privacy-resource-usage.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md
index fd57043298..09a88191f1 100644
--- a/includes/licensing/privacy-transparency-and-controls.md
+++ b/includes/licensing/privacy-transparency-and-controls.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/remote-credential-guard.md b/includes/licensing/remote-credential-guard.md
index 8e80d94a84..a9d5e47bfa 100644
--- a/includes/licensing/remote-credential-guard.md
+++ b/includes/licensing/remote-credential-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md
index 6557c69147..416338f11f 100644
--- a/includes/licensing/remote-wipe.md
+++ b/includes/licensing/remote-wipe.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md
index b29dea38c5..1a28ce37fb 100644
--- a/includes/licensing/secure-boot-and-trusted-boot.md
+++ b/includes/licensing/secure-boot-and-trusted-boot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md
index 8acee3baef..065fb9930f 100644
--- a/includes/licensing/secured-core-configuration-lock.md
+++ b/includes/licensing/secured-core-configuration-lock.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secured-core-pc-firmware-protection.md b/includes/licensing/secured-core-pc-firmware-protection.md
index 21a3a0651a..17d33cd9dd 100644
--- a/includes/licensing/secured-core-pc-firmware-protection.md
+++ b/includes/licensing/secured-core-pc-firmware-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md
index bda8037388..697e3c1347 100644
--- a/includes/licensing/security-baselines.md
+++ b/includes/licensing/security-baselines.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md
index 683fa8db2e..e40088e7da 100644
--- a/includes/licensing/server-message-block-direct-smb-direct.md
+++ b/includes/licensing/server-message-block-direct-smb-direct.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md
index cd9276809b..c2417234ba 100644
--- a/includes/licensing/server-message-block-smb-file-service.md
+++ b/includes/licensing/server-message-block-smb-file-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md
index fbc05610fb..8a281fcbd6 100644
--- a/includes/licensing/smart-app-control.md
+++ b/includes/licensing/smart-app-control.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md
index eb5061e582..f89dfe5b27 100644
--- a/includes/licensing/smart-cards-for-windows-service.md
+++ b/includes/licensing/smart-cards-for-windows-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/software-bill-of-materials-sbom.md b/includes/licensing/software-bill-of-materials-sbom.md
index 4d6f832194..72c7191537 100644
--- a/includes/licensing/software-bill-of-materials-sbom.md
+++ b/includes/licensing/software-bill-of-materials-sbom.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md
index fe7d7c2314..5fc00e80ef 100644
--- a/includes/licensing/tamper-protection-settings-for-mde.md
+++ b/includes/licensing/tamper-protection-settings-for-mde.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md
index 5642121480..e3893e47b5 100644
--- a/includes/licensing/transport-layer-security-tls.md
+++ b/includes/licensing/transport-layer-security-tls.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Transport layer security (TLS):
+The following table lists the Windows editions that support Transport Layer Security (TLS):
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Transport layer security (TLS) license entitlements are granted by the following licenses:
+Transport Layer Security (TLS) license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/trusted-platform-module-tpm.md b/includes/licensing/trusted-platform-module-tpm.md
index 6f757d623a..1c441f151a 100644
--- a/includes/licensing/trusted-platform-module-tpm.md
+++ b/includes/licensing/trusted-platform-module-tpm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md
index 87828b2774..100a608c5e 100644
--- a/includes/licensing/universal-print.md
+++ b/includes/licensing/universal-print.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md
index c34f82f836..5aad4958ad 100644
--- a/includes/licensing/user-account-control-uac.md
+++ b/includes/licensing/user-account-control-uac.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md
index eb309a2554..812d47fa6b 100644
--- a/includes/licensing/virtual-private-network-vpn.md
+++ b/includes/licensing/virtual-private-network-vpn.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md
index 70827aebce..912d2c961d 100644
--- a/includes/licensing/virtualization-based-security-vbs.md
+++ b/includes/licensing/virtualization-based-security-vbs.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/web-sign-in.md b/includes/licensing/web-sign-in.md
new file mode 100644
index 0000000000..73f9fd09e5
--- /dev/null
+++ b/includes/licensing/web-sign-in.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Web sign-in:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Web sign-in license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md
index 3d4a3e17c3..9e2cf75579 100644
--- a/includes/licensing/wifi-security.md
+++ b/includes/licensing/wifi-security.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-application-software-development-kit-sdk.md b/includes/licensing/windows-application-software-development-kit-sdk.md
index d97a10562a..65ba17659f 100644
--- a/includes/licensing/windows-application-software-development-kit-sdk.md
+++ b/includes/licensing/windows-application-software-development-kit-sdk.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md
index 4c866c7106..9d5dab8d27 100644
--- a/includes/licensing/windows-autopatch.md
+++ b/includes/licensing/windows-autopatch.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md
index 1eee13f367..ae6d646c68 100644
--- a/includes/licensing/windows-autopilot.md
+++ b/includes/licensing/windows-autopilot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md
index 86ab8d5f14..52264205ff 100644
--- a/includes/licensing/windows-defender-application-control-wdac.md
+++ b/includes/licensing/windows-defender-application-control-wdac.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md
index 7e8c06b51d..cecce5edd5 100644
--- a/includes/licensing/windows-defender-system-guard.md
+++ b/includes/licensing/windows-defender-system-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md
index 8e0bc9faf0..cfdbbca9d9 100644
--- a/includes/licensing/windows-firewall.md
+++ b/includes/licensing/windows-firewall.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
index 56e03e6bd4..780134b0ae 100644
--- a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
+++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md
index 95ffbf43a9..229a6ae597 100644
--- a/includes/licensing/windows-hello-for-business.md
+++ b/includes/licensing/windows-hello-for-business.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md
index eaddd61d61..d0fa59421e 100644
--- a/includes/licensing/windows-laps.md
+++ b/includes/licensing/windows-laps.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md b/includes/licensing/windows-passwordless-experience.md
similarity index 64%
rename from includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
rename to includes/licensing/windows-passwordless-experience.md
index 5ae19412dd..e24ee8935e 100644
--- a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
+++ b/includes/licensing/windows-passwordless-experience.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO):
+The following table lists the Windows editions that support Windows passwordless experience:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO) license entitlements are granted by the following licenses:
+Windows passwordless experience license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md
index 977c729c0c..aba249fcb0 100644
--- a/includes/licensing/windows-presence-sensing.md
+++ b/includes/licensing/windows-presence-sensing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md
index a486fd64de..65198775ad 100644
--- a/includes/licensing/windows-sandbox.md
+++ b/includes/licensing/windows-sandbox.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md
index a1742270bf..07f612b6ae 100644
--- a/includes/licensing/windows-security-policy-settings-and-auditing.md
+++ b/includes/licensing/windows-security-policy-settings-and-auditing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
index 1ac1b42374..950fe7b629 100644
--- a/store-for-business/app-inventory-management-microsoft-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -106,7 +106,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 ### Get and remove private store apps
 **To claim an app from the private store**
 
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Microsoft Store app.
+1. Sign in to your computer with your Microsoft Entra credentials, and start the Microsoft Store app.
 2. Click the private store tab.
 3. Click the app you want to install, and then click **Install**.
 
@@ -203,4 +203,4 @@ You can download a preview PowerShell script that uses REST APIs. The script is
 - Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
 
 > [!NOTE]
-> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.
\ No newline at end of file
+> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.
diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
index 92bced3780..4438a5efb2 100644
--- a/store-for-business/apps-in-microsoft-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -62,7 +62,7 @@ If an employee makes an in-app purchase, they'll make it with their personal Mic
 Microsoft Store supports two options to license apps: online and offline.
 
 ### Online licensing
-Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
+Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Microsoft Entra identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
 
 Distribution options for online-licensed apps include the ability to:
 
@@ -78,4 +78,4 @@ You have the following distribution options for offline-licensed apps:
 - Include the app in a provisioning package, and then use it as part of imaging a device.
 - Distribute the app through a management tool.
 
-For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 8f2ddc7b24..74d05180b7 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -27,16 +27,16 @@ ms.date: 05/24/2023
 
 For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
 
-Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
+Your management tool needs to be installed and configured with Microsoft Entra ID, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
 
-**To configure a management tool in Azure AD**
+**To configure a management tool in Microsoft Entra ID**
 
 1. Sign in to the Azure Portal as an Administrator.
-2. Click **Azure Active Directory**, and then choose your directory.
+2. Click **Microsoft Entra ID**, and then choose your directory.
 4. Click **Mobility (MDM and MAM)**.  
 3. Click **+Add Applications**, find the application, and add it to your directory.
 
-After your management tool is added to your Azure AD directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
+After your management tool is added to your Microsoft Entra directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
 
 **To configure a management tool in Microsoft Store for Business**
 
@@ -49,4 +49,4 @@ Your MDM tool is ready to use with Microsoft Store. To learn how to configure sy
 - [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
 - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
 
-For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
+For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index e391ccb12a..a7c0db425c 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -61,7 +61,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 
 **To claim an app from the private store**
 
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start Microsoft Store app.
+1. Sign in to your computer with your Microsoft Entra credentials, and start Microsoft Store app.
 2. Click the **private store** tab.
 3. Click the app you want to install, and then click **Install**.
 
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 77faaf7d85..0d0f36b0db 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -27,9 +27,9 @@ ms.date: 05/24/2023
 
 You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 
-Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.
+Your MDM tool needs to be installed and configured in Microsoft Entra ID, in the same Microsoft Entra directory used with Microsoft Store.
 
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
+In Microsoft Entra management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Microsoft Entra ID, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
 
 Microsoft Store services provide:
 
@@ -40,9 +40,9 @@ Microsoft Store services provide:
 
 MDM tool requirements:
 
--   Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
--   Must be configured in Azure AD, and Microsoft Store.
--   Azure AD identity is required to authorize Microsoft Store services.
+-   Must be a Microsoft Entra application to authenticate against the Store for Business services.
+-   Must be configured in Microsoft Entra ID, and Microsoft Store.
+-   Microsoft Entra identity is required to authorize Microsoft Store services.
 
 ## Distribute offline-licensed apps
 
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index d4049b9caa..eefa9c7b90 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -35,7 +35,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
 
 - **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
 
-- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
+- **Your employees do not have Microsoft Entra accounts** - Microsoft Entra accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
 
 ## Distribution options for offline-licensed apps
 
@@ -79,4 +79,4 @@ There are several items to download or create for offline-licensed apps. The app
     - **To download an app framework**: Find the framework you need to support your app package, and click **Download**. This is optional.
 
 > [!NOTE]
-> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
\ No newline at end of file
+> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index f0006e84b3..ba3d25fe32 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -67,7 +67,10 @@
         "v-dihans",        
         "garycentric",
         "v-stsavell",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "fileMetadata": {},
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 2d6b07538f..b018c5e595 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -30,7 +30,7 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
 >
 > - As of April 14, 2021, all apps that charge a base price above free are no longer available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases are possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you can't buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use from the private store. Apps with a base price of "free" are still available. This change doesn't impact apps in the Microsoft Store on Windows 10.
 >
-> - Also as of April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education.
+> - Also as of April 14, 2021, you must sign in with your Microsoft Entra account before you browse Microsoft Store for Business and Education.
 
 ## In this section
 
@@ -40,5 +40,5 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
 | [Find and acquire apps](find-and-acquire-apps-overview.md) | Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. |
 | [Manage apps](manage-apps-microsoft-store-for-business-overview.md) | Manage settings and access to apps in Microsoft Store for Business and Education. |
 | [Device Guard signing portal](device-guard-signing-portal.md) | Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. |
-| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant |
-| [Troubleshoot Microsoft Store for Business and Education](troubleshoot-microsoft-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |
\ No newline at end of file
+| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant |
+| [Troubleshoot Microsoft Store for Business and Education](troubleshoot-microsoft-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |
diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
index ad7a735cf4..7ae3789d4b 100644
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -1,6 +1,6 @@
 ---
 title: Manage settings for Microsoft Store for Business and Microsoft Store for Education (Windows 10)
-description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+description: You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant.
 ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
 ms.reviewer: 
 ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ ms.date: 05/24/2023
 > - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 > - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed).
 
-You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant.
 
 ## In this section
 
@@ -34,5 +34,3 @@ You can add users and groups, as well as update some of the settings associated
 | [Update Microsoft Store for Business and Education account settings](update-microsoft-store-for-business-account-settings.md) | **Billing - Account profile**  in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
 | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. You can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md) and to groups.|
 | [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information on invoices for products and services bought under the Microsoft Customer Agreement.|
-
-
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index ab89a344ff..792c6de5e0 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -27,22 +27,26 @@ ms.date: 05/24/2023
 
 Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
 
-## Why Azure AD accounts?
+<a name='why-azure-ad-accounts'></a>
+
+## Why Microsoft Entra accounts?
 For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and Microsoft Store for Business.
 
-Azure AD is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Azure AD identity and access management includes:
+Microsoft Entra ID is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Microsoft Entra identity and access management includes:
 
 - Single sign-on to any cloud and on-premises web app.
 - Works with multiple platforms and devices.
 - Integrate with on-premises Active Directory.
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
-## Add user accounts to your Azure AD directory
-If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
+<a name='add-user-accounts-to-your-azure-ad-directory'></a>
 
-You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
+## Add user accounts to your Microsoft Entra directory
+If you created a new Microsoft Entra directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Microsoft Entra directory. However, adding user accounts to your Microsoft Entra directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
+
+You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Microsoft Entra directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
 
 For more information, see:
 - [Add user accounts using Office 365 admin dashboard](/microsoft-365/admin/add-users)
-- [Add user accounts using Azure management portal](/azure/active-directory/fundamentals/add-users-azure-active-directory)
\ No newline at end of file
+- [Add user accounts using Azure management portal](/azure/active-directory/fundamentals/add-users-azure-active-directory)
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index af54ebd7c7..2cd07840b0 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -36,7 +36,7 @@ You can use the PowerShell module to:
 - Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
 
 >[!NOTE]
->Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
 
 ## Requirements
 To use the Microsoft Store for Business and Education PowerShell module, you'll need:
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 51d26aea04..bb6d16110b 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -36,7 +36,7 @@ Designed for organizations, Microsoft Store for Business and Microsoft Store for
 ## Features
 Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:
 
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+- **Scales to fit the size of your business** - For smaller businesses, with Microsoft Entra accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 - **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
 - **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
     - **Microsoft Store for Business** – Apps acquired from Microsoft Store for Business
@@ -63,21 +63,21 @@ You'll need this software to work with Store for Business and Education.
 - Admins working with Store for Business and Education need a browser compatible with Microsoft Store running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
 - Employees using apps from Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
 
-Microsoft Azure Active Directory (AD) accounts for your employees:
+Microsoft Entra accounts for your employees:
 
-- Admins need Azure AD accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Azure AD accounts as part of signing up for Store for Business and Education.
-- Employees need Azure AD account when they access Store for Business content from Windows devices.
-- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
-- For offline-licensed apps, Azure AD accounts are not required for employees.
+- Admins need Microsoft Entra accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Microsoft Entra accounts as part of signing up for Store for Business and Education.
+- Employees need Microsoft Entra account when they access Store for Business content from Windows devices.
+- If you use a management tool to distribute and manage online-licensed apps, all employees will need a Microsoft Entra account
+- For offline-licensed apps, Microsoft Entra accounts are not required for employees.
 - Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don't have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. 
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
 ### Optional
 
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
 
-- Need to integrate with Windows 10 management framework and Azure AD.
+- Need to integrate with Windows 10 management framework and Microsoft Entra ID.
 - Need to sync with the Store for Business inventory to distribute apps.
 
 ## How does the Store for Business and Education work?
@@ -88,7 +88,7 @@ The first step for getting your organization started with Store for Business and
 
 ## Set up
 
-After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
+After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Microsoft Entra user Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
 
 | Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
 | ---------- | ---------------- | ------------ | --------------- | -------------------- |
@@ -100,13 +100,13 @@ After your admin signs up for the Store for Business and Education, they can ass
 > [!NOTE]
 > Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings).
 
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
+In some cases, admins will need to add Microsoft Entra accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
 
 Also, if your organization plans to use a management tool, you'll need to configure your management tool to sync with Store for Business and Education.
 
 ## Get apps and content
 
-Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business and Education catalog. Some apps are free,and some apps charge a price. We're continuing to add more paid apps to the Store for Business and Education. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time. 
+Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business and Education catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business and Education. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time. 
 
 **App types** - These app types are supported in the Store for Business and Education:
 
@@ -130,7 +130,7 @@ App distribution is handled through two channels, either through the Microsoft S
 **Distribute with Store for Business and Education**:
 - Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app.
 - Curate private store for all employees – A private store can include content you've purchased from Microsoft Store for Business, and your line-of-business apps that you've submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
-- To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps. 
+- To use the options above users must be signed in with a Microsoft Entra account on a Windows 10 device. Licenses are assigned as individuals install apps. 
 
 **Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
 - Scoped content distribution – Ability to scope content distribution to specific groups of employees.
@@ -244,7 +244,6 @@ Store for Business and Education is currently available in these markets.
 - Liechtenstein
 - Lithuania
 - Luxembourg
-- Macedonia
 - Madagascar
 - Malawi
 - Malaysia
@@ -268,6 +267,7 @@ Store for Business and Education is currently available in these markets.
 - New Zealand
 - Nicaragua
 - Nigeria
+- North Macedonia
 - Norway
 - Oman
 - Pakistan
@@ -310,7 +310,7 @@ Store for Business and Education is currently available in these markets.
 - Tonga
 - Trinidad and Tobago
 - Tunisia
-- Turkey
+- Türkiye
 - Turks and Caicos Islands
 - Uganda
 - United Arab Emirates
@@ -366,7 +366,7 @@ This table summarize what customers can purchase, depending on which Microsoft S
 
 ## Privacy notice
 
-Store for Business and Education services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+Store for Business and Education services get names and email addresses of people in your organization from Microsoft Entra ID. This information is needed for these admin functions:
 - Granting and managing permissions
 - Managing app licenses 
 - Distributing apps to people (names appear in a list that admins can select from)
@@ -386,4 +386,4 @@ Developers in your organization, or ISVs can create content specific to your org
 
 Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in Store for Business and Education. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in Store for Business and Education will work only on Windows 10.
 
-For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
\ No newline at end of file
+For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index 08a23b9119..e1edf848cc 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -32,7 +32,7 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti
 
 | Store area | Notification message | Customer impact |
 | ---------- | -------------------- | --------------- |
-| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
+| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Microsoft Entra outage. |
 | Manage | We're on it. Something happened on our end with management for apps and software. We're working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history.  |
 | Shop | We're on it. Something happened on our end with purchasing. We're working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
 | Private store | We're on it. Something happened on our end with your organization's private store. People in your organization can't download apps right now. We're working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 3543e2ade4..1d519c7d26 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -42,18 +42,18 @@ You'll need this software to work with Microsoft Store for Business or Education
 -   IT Pros that are administering Microsoft Store for Business and Education need a browser compatible with Microsoft Store for Business and Education running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox. Javascript needs to be supported and enabled. 
 -   Employees using apps from Microsoft Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
 
-Microsoft Azure Active Directory (AD) or Office 365 accounts for your employees:
--   IT Pros need Azure AD or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses.
--   Employees need Azure AD accounts when they access Microsoft Store for Business or Education content from Windows-based devices.
--   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account.
+Microsoft Entra ID or Office 365 accounts for your employees:
+-   IT Pros need Microsoft Entra ID or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses.
+-   Employees need Microsoft Entra accounts when they access Microsoft Store for Business or Education content from Windows-based devices.
+-   If you use a management tool to distribute and manage online-licensed apps, all employees will need a Microsoft Entra account.
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
 ### Optional
 
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. If you're considering using management tools, check with the management tool vendor to see if they support Microsoft Store for Business and Education. The management tool will need to:
 
--   Integrate with the Windows 10 management framework and Azure AD.
+-   Integrate with the Windows 10 management framework and Microsoft Entra ID.
 -   Sync with Microsoft Store for Business and Education inventory to distribute apps.
 
 ## Proxy configuration
@@ -73,4 +73,3 @@ If your organization restricts computers on your network from connecting to the
   starting with Windows 10, version 1607)
  
 Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
-
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 9ac3ce2446..842c7e3e8e 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -1,6 +1,6 @@
 ---
 title: Roles and permissions in Microsoft Store for Business and Education (Windows 10)
-description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 keywords: roles, permissions
 ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
 ms.reviewer: 
@@ -29,9 +29,9 @@ ms.date: 05/24/2023
 > [!NOTE]
 > As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 
-The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 
-Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
+Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Microsoft Entra account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
 
 ## Global user account permissions in Microsoft Store
 
@@ -49,7 +49,7 @@ This table lists the global user accounts and the permissions they have in Micro
 
 ## Microsoft Store roles and permissions
 
-Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
+Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Microsoft Entra account to access Microsoft Store.
 
 This table lists the roles and their permissions.
 
@@ -100,4 +100,4 @@ These permissions allow people to:
 
     <!--- ![Image showing Assign roles to people box in Microsoft Store for Business.](images/wsfb-permissions-assignrole.png) -->
 
-4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
\ No newline at end of file
+4. If you don't find the name you want, you might need to add people to your Microsoft Entra directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index a5b192031e..365a4304f2 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -32,7 +32,7 @@ The Microsoft Store for Business and Education has a group of settings that admi
 | Allow users to shop  | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
 | Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](/education/windows/education-scenarios-store-for-business#basic-purchaser-role). | **Settings - Shop** |
 | App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Shop** |
-| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Management tools | Management tools that are synced with Microsoft Entra ID are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices**  |
 | Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** |
 | Line-of-business (LOB) publishers  | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index d1139f7ada..7a1837372b 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -36,5 +36,5 @@ IT admins can sign up for Microsoft Store for Business and Education, and get st
 | ----- | ----------- |
 | [Microsoft Store for Business and Education overview](./microsoft-store-for-business-overview.md) | Learn about Microsoft Store for Business. |
 | [Prerequisites for Microsoft Store for Business and Education](./prerequisites-microsoft-store-for-business.md) | There are a few prerequisites for using [Microsoft Store for Business and Education.](/microsoft-store/prerequisites-microsoft-store-for-business) |
-| [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
+| [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
 | [Settings reference: Microsoft Store for Business and Education](./settings-reference-microsoft-store-for-business.md) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. |
diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
index ea6dd9e359..03b03469ee 100644
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -37,7 +37,7 @@ Before purchasing apps that have a fee, you need to add or update your organizat
 
 We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we'll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don't have an address, we'll ask you to enter it during your first purchase.
 
-We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Azure AD tenant that is used with Microsoft Store.
+We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Microsoft Entra tenant that is used with Microsoft Store.
 
 **To update billing account information**
 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
@@ -143,4 +143,4 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof
 You have the following distribution options for offline-licensed apps:
 - Include the app in a provisioning package, and then use it as part of imaging a device.
 - Distribute the app through a management tool.
-For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). -->
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). -->
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index b8d3bddc46..8b50896c5a 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -60,7 +60,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index 93ceaacb2c..cb4377d22d 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -63,7 +63,7 @@ To install the Company Portal app, you have some options:
   - [What is co-management?](/mem/configmgr/comanage/overview)
   - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal)
 
-- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
+- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Microsoft Entra organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
 
   - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
 
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 7f11d203d5..efb65c5991 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -1,6 +1,6 @@
 ---
-title: Azure Active Directory integration with MDM
-description: Azure Active Directory is the world's largest enterprise cloud identity management service.
+title: Microsoft Entra integration with MDM
+description: Microsoft Entra ID is the world's largest enterprise cloud identity management service.
 ms.topic: article
 ms.collection:
 - highpri
@@ -8,90 +8,94 @@ ms.collection:
 ms.date: 08/10/2023
 ---
 
-# Azure Active Directory integration with MDM
+# Microsoft Entra integration with MDM
 
-Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
+Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow.
 
 Once a device is enrolled in MDM, the MDM:
 
 - Can enforce compliance with organization policies, add or remove apps, and more.
-- Can report a device's compliance in Azure AD.
-- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
+- Can report a device's compliance in Microsoft Entra ID.
+- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
 
-To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD.
+To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID.
 
 ## Integrated MDM enrollment and UX
 
-There are several ways to connect your devices to Azure AD:
+There are several ways to connect your devices to Microsoft Entra ID:
 
-- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join)
-- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join)
+- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
 - [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
 
-In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
+In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
 
-In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
+In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
 
-For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
+For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
 
-Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
+Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar.
 
 > [!NOTE]
-> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account.
+> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account.
 
-### MDM endpoints involved in Azure AD integrated enrollment
+<a name='mdm-endpoints-involved-in-azure-ad-integrated-enrollment'></a>
 
-Azure AD MDM enrollment is a two-step process:
+### MDM endpoints involved in Microsoft Entra integrated enrollment
+
+Microsoft Entra MDM enrollment is a two-step process:
 
 1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
 1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
 
-To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
+To support Microsoft Entra enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
 
 - **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their organization can control their device. The **Terms of Use** page is responsible for collecting user's consent before the actual enrollment phase begins.
 
-    It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
+    It's important to understand the Terms of Use flow is an "opaque box" to Windows and Microsoft Entra ID. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
 
-    The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
+    The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Microsoft Entra ID.
 
-- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
+- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Microsoft Entra ID. Automatic MDM enrollment begins.
 
-    The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
+    The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Microsoft Entra ID. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Microsoft Entra ID (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Microsoft Entra ID. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
 
-    [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
+    [![Microsoft Entra enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
 
-    The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
+    The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
 
-## Make MDM a reliable party of Azure AD
+<a name='make-mdm-a-reliable-party-of-azure-ad'></a>
 
-To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
+## Make MDM a reliable party of Microsoft Entra ID
+
+To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
 
 ### Cloud-based MDM
 
-A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
+A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
 
-The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
+The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
 
 > [!NOTE]
-> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow these step-by-step guides:
+> For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides:
 >
-> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
-> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
+> - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
+> - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
 
-The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs.
+The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
 
 > [!NOTE]
-> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
+> All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
 
 ### On-premises MDM
 
-An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD.
+An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Microsoft Entra ID.
 
-To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use.
+To add an on-premises MDM application to the tenant, use the Microsoft Entra service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use.
 
-Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
+Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Microsoft Entra ID when reporting device compliance.
 
-For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](/previous-versions/azure/dn499820(v=azure.100)).
+For more information about registering applications with Microsoft Entra ID, see [Basics of Registering an Application in Microsoft Entra ID](/previous-versions/azure/dn499820(v=azure.100)).
 
 ### Key management and security guidelines
 
@@ -99,22 +103,24 @@ The application keys used by your MDM service are a sensitive resource. They sho
 
 For security best practices, see [Microsoft Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
 
-For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Azure AD tenant.
+For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Microsoft Entra tenant.
 
-For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
+For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
 
-## Publish your MDM app to Azure AD app gallery
+<a name='publish-your-mdm-app-to-azure-ad-app-gallery'></a>
 
-IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
+## Publish your MDM app to Microsoft Entra app gallery
+
+IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID.
 
 ### Add cloud-based MDM to the app gallery
 
 > [!NOTE]
-> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
+> You should work with the Microsoft Entra engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
 
-To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing)
+To publish your application, [submit a request to publish your application in Microsoft Entra application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing)
 
-The following table shows the required information to create an entry in the Azure AD app gallery.
+The following table shows the required information to create an entry in the Microsoft Entra app gallery.
 
 | Item                | Description                                                                                                                                                                                                    |
 |---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -132,12 +138,12 @@ However, key management is different for on-premises MDM. You must obtain the cl
 
 ## Themes
 
-The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right.
+The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Microsoft Entra join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right.
 
 There are three distinct scenarios:
 
-1. MDM enrollment as part of Azure AD Join in Windows OOBE.
-1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
+1. MDM enrollment as part of Microsoft Entra join in Windows OOBE.
+1. MDM enrollment as part of Microsoft Entra join, after Windows OOBE from **Settings**.
 1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
 
 These scenarios support Windows Pro, Enterprise, and Education.
@@ -158,7 +164,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
 
 ## Terms of Use protocol semantics
 
-The MDM server hosts the **Terms of Use** endpoint. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
+The MDM server hosts the **Terms of Use** endpoint. During the Microsoft Entra join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
 
 ### Redirect to the Terms of Use endpoint
 
@@ -175,7 +181,7 @@ The following parameters are passed in the query string:
 
 ### Access token
 
-Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
+Microsoft Entra ID issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
 
 **Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw...
 
@@ -200,7 +206,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm
 Authorization: Bearer eyJ0eXAiOi
 ```
 
-The MDM is expected to validate the signature of the access token to ensure it is issued by Azure AD and that the recipient is appropriate.
+The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate.
 
 ### Terms of Use content
 
@@ -225,7 +231,7 @@ At this point, the user is on the Terms of Use page shown during the OOBE or fro
   - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
   - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
 
-Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. The user can't decline the MDM enrollment if configured by the administrator for the Azure AD Join.
+Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Microsoft Entra join process. Don't show the decline button in the Microsoft Entra join process. The user can't decline the MDM enrollment if configured by the administrator for the Microsoft Entra join.
 
 We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
 
@@ -251,14 +257,16 @@ The following table shows the error codes.
 |--------------------------------------------------------------------------------------------------|-------------|---------------------|-----------------------------|
 | api-version                                                                                      | 302         | invalid_request     | unsupported version         |
 | Tenant or user data are missing or other required prerequisites for device enrollment aren't met | 302         | unauthorized_client | unauthorized user or tenant |
-| Azure AD token validation failed                                                                 | 302         | unauthorized_client | unauthorized_client         |
+| Microsoft Entra token validation failed                                                                 | 302         | unauthorized_client | unauthorized_client         |
 | internal service error                                                                           | 302         | server_error        | internal service error      |
 
-## Enrollment protocol with Azure AD
+<a name='enrollment-protocol-with-azure-ad'></a>
+
+## Enrollment protocol with Microsoft Entra ID
 
 With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
 
-|Detail|Traditional MDM enrollment|Azure AD Join (organization-owned device)|Azure AD adds a work account (user-owned device)|
+|Detail|Traditional MDM enrollment|Microsoft Entra join (organization-owned device)|Microsoft Entra ID adds a work account (user-owned device)|
 |--- |--- |--- |--- |
 |MDM auto-discovery using email address to retrieve MDM discovery URL|Enrollment|Not applicable<br>Discovery URL provisioned in Azure||
 |Uses MDM discovery URL|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|
@@ -268,7 +276,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 |EnrollmentServiceURL|Required (all auth)|Used (all auth)|Used (all auth)|
 |EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL|Highly recommended|Highly recommended|Highly recommended|
 |AuthenticationServiceURL used|Used (Federated auth)|Skipped|Skipped|
-|BinarySecurityToken|Custom per MDM|Azure AD issued token|Azure AD issued token|
+|BinarySecurityToken|Custom per MDM|Microsoft Entra ID issued token|Microsoft Entra ID issued token|
 |EnrollmentType|Full|Device|Full|
 |Enrolled certificate type|User certificate|Device certificate|User certificate|
 |Enrolled certificate store|My/User|My/System|My/User|
@@ -276,41 +284,45 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
 |CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
 
-## Management protocol with Azure AD
+<a name='management-protocol-with-azure-ad'></a>
 
-There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
+## Management protocol with Microsoft Entra ID
 
-- **Multiple user management for Azure AD-joined devices**
+There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
 
-  In this scenario, the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest is logged on to the device.
+- **Multiple user management for Microsoft Entra joined devices**
+
+  In this scenario, the MDM enrollment applies to every Microsoft Entra user who signs in to the Microsoft Entra joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Microsoft Entra user tokens. Each management session contains an extra HTTP header that contains a Microsoft Entra user token. This information is provided in the DM package sent to the management server. However, in some circumstances Microsoft Entra user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Microsoft Entra join process. Until Microsoft Entra join process is finished and Microsoft Entra user signs on to the machine, Microsoft Entra user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Microsoft Entra user sign in to machine and the initial management session doesn't contain a Microsoft Entra user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Microsoft Entra token in the OMA-DM payload is when a guest is logged on to the device.
 
 - **Adding a work account and MDM enrollment to a device**:
 
-  In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
+  In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Microsoft Entra tokens that may be sent over during management session. Whether Microsoft Entra token is present or missing, the management server sends both user and device policies to the device.
 
-- **Evaluating Azure AD user tokens**:
+- **Evaluating Microsoft Entra user tokens**:
 
-  The Azure AD token is in the HTTP Authorization header in the following format:
+  The Microsoft Entra token is in the HTTP Authorization header in the following format:
 
   ```console
   Authorization:Bearer <Azure AD User Token Inserted here>
   ```
 
-  More claims may be present in the Azure AD token, such as:
+  More claims may be present in the Microsoft Entra token, such as:
 
   - User - user currently logged in
   - Device compliance - value set the MDM service into Azure
   - Device ID - identifies the device that is checking in
   - Tenant ID
 
-  Access tokens issued by Azure AD are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
+  Access tokens issued by Microsoft Entra ID are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
 
   - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
-  - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
+  - Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
 
-## Device Alert 1224 for Azure AD user token
+<a name='device-alert-1224-for-azure-ad-user-token'></a>
 
-An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example:
+## Device Alert 1224 for Microsoft Entra user token
+
+An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example:
 
 ```xml
 Alert Type: com.microsoft/MDM/AADUserToken
@@ -338,8 +350,8 @@ An alert is sent to the MDM server in DM package \#1.
 - Alert type - `com.microsoft/MDM/LoginStatus`
 - Alert format - `chr`
 - Alert data - provide sign-in status information for the current active logged in user.
-  - Signed-in user who has an Azure AD account - predefined text: user.
-  - Signed-in user without an Azure AD account- predefined text: others.
+  - Signed-in user who has a Microsoft Entra account - predefined text: user.
+  - Signed-in user without a Microsoft Entra account- predefined text: others.
   - No active user - predefined text:none
 
 Here's an example.
@@ -360,14 +372,16 @@ Here's an example.
 </SyncBody>
 ```
 
-## Report device compliance to Azure AD
+<a name='report-device-compliance-to-azure-ad'></a>
 
-Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
+## Report device compliance to Microsoft Entra ID
+
+Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID.
 
 For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
 
-- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
-- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
+- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
+- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID.
 
 ### Use Microsoft Graph API
 
@@ -390,9 +404,9 @@ Content-Type: application/json
 
 Where:
 
-- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined.
-- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD.
-- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
+- **contoso.com** - This value is the name of the Microsoft Entra tenant to whose directory the device has been joined.
+- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Microsoft Entra ID.
+- **eyJ0eXAiO**......... - This value is the bearer access token issued by Microsoft Entra ID to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
 - **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
 - **api-version** - Use this parameter to specify which version of the graph API is being requested.
 
@@ -401,9 +415,11 @@ Response:
 - Success - HTTP 204 with No Content.
 - Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
 
-## Data loss during unenrollment from Azure Active Directory Join
+<a name='data-loss-during-unenrollment-from-azure-active-directory-join'></a>
 
-When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
+## Data loss during unenrollment from Microsoft Entra join
+
+When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenrollment.](images/azure-ad-unenrollment.png)
 
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 636a885451..e1c894e2c5 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -7,12 +7,12 @@ ms.date: 08/10/2023
 
 # Automatic MDM enrollment in the Intune admin center
 
-Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
+Windows devices can be enrolled in to Intune automatically when they join or register with Microsoft Entra ID. Automatic enrollment can be configured in Azure portal.
 
-1. Go to your Azure AD portal.
+1. Go to your Microsoft Entra admin center.
 1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
 1. Select **Microsoft Intune** and configure the enrollment options. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group).
 
    ![Configure the Blade.](images/azure-intune-configure-scope.png)
 
-1. Select **Save** to configure MDM autoenrollment for Azure AD joined devices and bring-your-own-device scenarios.
+1. Select **Save** to configure MDM autoenrollment for Microsoft Entra joined devices and bring-your-own-device scenarios.
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index 84c1486cec..522b5d05b6 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -7,7 +7,7 @@ ms.date: 08/10/2023
 
 # Bulk enrollment using Windows Configuration Designer
 
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
 
 ## Typical use cases
 
@@ -23,10 +23,10 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
 
 > [!NOTE]
 >
-> - Bulk-join is not supported in Azure Active Directory Join.
+> - Bulk-join is not supported in Microsoft Entra join.
 > - Bulk enrollment does not work in Intune standalone environment.
 > - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
-> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> - To change bulk enrollment settings, login to **Microsoft Entra ID**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
 > - Bulk Token creation is not supported with federated accounts.
 
 ## What you need
diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
index 56f57c950e..2e3e741284 100644
--- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
@@ -1,6 +1,6 @@
 ---
-title: Connect to remote Azure Active Directory joined device
-description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
+title: Connect to remote Microsoft Entra joined device
+description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device.
 ms.localizationpriority: medium
 ms.date: 08/10/2023
 ms.topic: article
@@ -9,36 +9,38 @@ ms.collection:
 - tier2
 ---
 
-# Connect to remote Azure Active Directory joined device
+# Connect to remote Microsoft Entra joined device
 
-Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP).
+Windows supports remote connections to devices joined to Active Directory s well as devices joined to Microsoft Entra ID using Remote Desktop Protocol (RDP).
 
 - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
-- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
+- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-azure-ad-authentication).
 
 ## Prerequisites
 
 - Both devices (local and remote) must be running a supported version of Windows.
 - Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**.
   - It's recommended to select **Require devices to use Network Level Authentication to connect** option.
-- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
+- If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
 - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device.
 
-## Connect with Azure AD Authentication
+<a name='connect-with-azure-ad-authentication'></a>
 
-Azure AD Authentication can be used on the following operating systems for both the local and remote device:
+## Connect with Microsoft Entra authentication
+
+Microsoft Entra authentication can be used on the following operating systems for both the local and remote device:
 
 - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
 - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
 - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
 
-There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
+There's no requirement for the local device to be joined to a domain or Microsoft Entra ID. As a result, this method allows you to connect to the remote Microsoft Entra joined device from:
 
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
 - Active Directory joined device.
 - Workgroup device.
 
-Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices.
+Microsoft Entra authentication can also be used to connect to Microsoft Entra hybrid joined devices.
 
 To connect to the remote computer:
 
@@ -48,29 +50,31 @@ To connect to the remote computer:
 
     > [!NOTE]
     > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.
-    > The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device.
+    > The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.
 
 - When prompted for credentials, specify your user name in `user@domain.com` format.
-- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
+- You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
 
 > [!IMPORTANT]
-> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.
+> If your organization has configured and is using [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.
 
 ### Disconnection when the session is locked
 
-The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
+The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
 
-Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.
+Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies.
 
-## Connect without Azure AD Authentication
+<a name='connect-without-azure-ad-authentication'></a>
 
-By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from:
+## Connect without Microsoft Entra authentication
 
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
-- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
+By default, RDP doesn't use Microsoft Entra authentication, even if the remote PC supports it. This method allows you to connect to the remote Microsoft Entra joined device from:
+
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
+- [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
 
 > [!NOTE]
-> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
+> Both the local and remote device must be in the same Microsoft Entra tenant. Microsoft Entra B2B guests aren't supported for Remote desktop.
 
 To connect to the remote computer:
 
@@ -79,26 +83,26 @@ To connect to the remote computer:
 - When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format.
 
 > [!TIP]
-> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**.
+> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is Microsoft Entra joined. If you are signing in to your work account, try using your work email address**.
 
 > [!NOTE]
 > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
 
 ### Supported configurations
 
-This table lists the supported configurations for remotely connecting to an Azure AD joined device without using Azure AD authentication:
+This table lists the supported configurations for remotely connecting to a Microsoft Entra joined device without using Microsoft Entra authentication:
 
 | **Criteria**                               | **Client operating system**       | **Supported credentials**                                          |
 |--------------------------------------------|-----------------------------------|--------------------------------------------------------------------|
-| RDP from **Azure AD registered device**    | Windows 10, version 2004 or later | Password, smart card                                               |
-| RDP from **Azure AD joined device**        | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
-| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
+| RDP from **Microsoft Entra registered device**    | Windows 10, version 2004 or later | Password, smart card                                               |
+| RDP from **Microsoft Entra joined device**        | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
+| RDP from **Microsoft Entra hybrid joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
 
 > [!NOTE]
-> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
+> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Microsoft Entra joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
 
 > [!NOTE]
-> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
+> When a Microsoft Entra group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Microsoft Entra group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
 
 ## Add users to Remote Desktop Users group
 
@@ -106,7 +110,7 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
 
 - **Adding users manually**:
 
-  You can specify individual Azure AD accounts for remote connections by running the following command, where `<userUPN>` is the UPN of the user, for example `user@domain.com`:
+  You can specify individual Microsoft Entra accounts for remote connections by running the following command, where `<userUPN>` is the UPN of the user, for example `user@domain.com`:
 
   ```cmd
   net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"
@@ -116,7 +120,7 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
 
 - **Adding users using policy**:
 
-  Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
+  Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Microsoft Entra joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
 
 ## Related articles
 
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 615806cfd5..58eceea5e1 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -19,7 +19,7 @@ All that's required to use Quick Assist is suitable network and internet connect
 
 ### Authentication
 
-The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
+The helper can authenticate when they sign in by using a Microsoft account (MSA) or Microsoft Entra ID. Local Active Directory authentication isn't currently supported.
 
 ### Network considerations
 
@@ -36,7 +36,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
 | `*.registrar.skype.com` | Required for Azure Communication Service. |
 | `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
 | `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
-| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). |
+| `aadcdn.msauth.net` | Required for logging in to the application (Microsoft Entra ID). |
 | `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
 | `login.microsoftonline.com` | Required for Microsoft login service. |
 | `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml
index 311cb0c84f..115ff9afd8 100644
--- a/windows/client-management/client-tools/toc.yml
+++ b/windows/client-management/client-tools/toc.yml
@@ -3,7 +3,7 @@ items:
     href: administrative-tools-in-windows.md
   - name: Use Quick Assist to help users
     href: quick-assist.md
-  - name: Connect to remote Azure Active Directory-joined PC
+  - name: Connect to remote Microsoft Entra joined PC
     href: connect-to-remote-aadj-pc.md
   - name: Create mandatory user profiles
     href: mandatory-user-profile.md
diff --git a/windows/client-management/declared-configuration-extensibility.md b/windows/client-management/declared-configuration-extensibility.md
new file mode 100644
index 0000000000..3121be77f0
--- /dev/null
+++ b/windows/client-management/declared-configuration-extensibility.md
@@ -0,0 +1,251 @@
+---
+title: Declared configuration extensibility
+description: Learn more about declared configuration extensibility through native WMI providers.
+ms.date: 09/26/2023
+ms.topic: how-to
+---
+
+# Declared configuration extensibility providers
+
+The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties.
+
+> [!NOTE]
+> Only string properties are currently supported by extensibility providers.
+
+```mof
+[static, Description ("Get resource state based on input configuration file." )]
+uint32 GetTargetResource(
+    [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied.")]
+    string InputResource,
+    [in, Description ("Flags passed to the provider. Reserved for future use." )]
+    uint32 Flags,
+    [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )]
+    string OutputResource
+);
+
+[static, Description ("Test resource state based on input configuration file." )]
+uint32 TestTargetResource(
+    [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document to be applied." )]
+    string InputResource,
+    [in, Description ("Flags passed to the provider. reserved for future use." )]
+    uint32 Flags,
+    [out, Description ("True if identical. False otherwise." )]
+    boolean Result,
+    [out, Description ("Context information the provider can use to optimize the set. This is optional." )]
+    uint64 ProviderContext
+);
+
+[static, Description ("Set resource state based on input configuration file." )]
+uint32 SetTargetResource(
+    [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"),
+    Description ("Configuration document to be applied." )]
+    string InputResource,
+    [in, Description ("Context information the provider can use to optimize the set from SetTargetResource. This is optional." )]
+    uint64 ProviderContext,
+    [in, Description ("Flags passed to the provider. reserved for future use." )]
+    uint32 Flags
+);
+```
+
+## Author desired state configuration resources
+
+To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement.
+
+1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
+2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool.
+3. Edit the required files and include the correct file names and class names.
+4. Invoke the provider generator tool to generate the provider's project files.
+5. Copy the generated files into the provider's project folder.
+6. Start the development process.
+
+## Example
+
+This example provides more details about each step to demonstrate how to implement a sample native resource named `MSFT_FileDirectoryConfiguration`.
+
+### Step 1: Create the resource schema MOF file
+
+Create a sample schema MOF file used to generate the initial source code for the `MSFT_FileDirectoryConfiguration` native resource. Place it in the project directory named `MSFT_FileDirectoryConfiguration`.
+
+```mof
+#pragma include ("cim_schema_2.26.0.mof")
+#pragma include ("OMI_BaseResource.mof")
+#pragma include ("MSFT_Credential.mof")
+
+[ClassVersion("1.0.0"), Description("The configuration provider for files and directories.")]
+class MSFT_FileDirectoryConfiguration : OMI_BaseResource
+{
+    [Key, Description("File name and path on target node to copy or create.")]
+    string DestinationPath;
+
+    [Write, Description("The name and path of the file to copy from.")]
+    string SourcePath;
+
+    [Write, Description("Contains a string that represents the contents of the file. To create an empty file, the string must be empty. The contents will be written and compared using UTF-8 character encoding.")]
+    string Contents;
+
+    [static, Description ("Get resource states based on input configuration file." )]
+    uint32 GetTargetResource(
+        [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied." )]
+        string InputResource,
+
+        [in,Description ("Flags passed to the providers. Reserved for future use." )]
+        uint32 Flags,
+
+        [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )]
+        string OutputResource
+    );
+
+    [static, Description ("Test resource states based on input configuration file." )]
+    uint32 TestTargetResource(
+        [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )]
+        string InputResource,
+
+        [in, Description ("Flags passed to the providers. reserved for future use." )]
+        uint32 Flags,
+
+        [out, Description ("True if identical. False otherwise." )]
+        boolean Result,
+
+        [out, Description ("Context information that the provider can use to optimize the set, This is optional." )]
+        uint64 ProviderContext
+    );
+
+    [static, Description ("Set resource states based on input configuration file." )]
+    uint32 SetTargetResource(
+        [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )]
+        string InputResource,
+
+        [in, Description ("Context information that the provider can use to optimize the set from TestTargetResource, This is optional." )]
+        uint64 ProviderContext,
+
+        [in, Description ("Flags passed to the providers. reserved for future use." )]
+        uint32 Flags
+    );
+};
+```
+
+> [!NOTE]
+>
+> - The class name and DLL file name should be the same, as defined in the `Provider.DEF` file.
+> - The type qualifier `[Key]` on a property indicates that it uniquely identifies the resource instance. At least one `[Key]` property is required.
+> - The `[Required]` qualifier indicates that the property is required. In other words, a value must be specified in any configuration script that uses this resource.
+> - The `[write]` qualifier indicates that the property is optional when using the custom resource in a configuration script. The `[read]` qualifier indicates that a property can't be set by a configuration, and is for reporting purposes only.
+> - The `[Values]` qualifier restricts the values that can be assigned to the property. Define the list of allowed values in `[ValueMap]`. For more information, see [ValueMap and value qualifiers](/windows/win32/wmisdk/value-map).
+> - Any new MOF file should include the following lines at the top of the file:
+>
+>     ```mof
+>     #pragma include ("cim_schema_2.26.0.mof")
+>     #pragma include ("OMI_BaseResource.mof")
+>     #pragma include ("MSFT_Credential.mof")
+>     ```
+>
+> - Method names and its parameters should be same for every resource. Change `MSFT_FileDirectoryConfiguration` from EmbeddedInstance value to the class name of the desired provider. There should be only one provider per MOF file.
+
+### Step 2: Copy the schema MOF files
+
+Copy these required files and folders to the project directory you created in step 1:
+
+- `CIM-2.26.0`
+- `codegen.cmd`
+- `Convert-MofToProvider.exe`
+- `MSFT_Credential.mof`
+- `MSFT_DSCResource.mof`
+- `OMI_BaseResource.mof`
+- `OMI_Errors.mof`
+- `Provider.DEF`
+- `wmicodegen.dll`
+
+For more information on how to obtain the required files, see [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider).
+
+### Step 3: Edit the required files
+
+Modify the following files in the project directory:
+
+- `MSFT_FileDirectoryConfiguration.mof`: You created this file in step 1.
+- `Provider.DEF`: This file contains the DLL name, for example, `MSFT_FileDirectoryConfiguration.dll`.
+- `codegen.cmd`: This file contains the command to invoke `convert-moftoprovider.exe`.
+
+    ```cmd
+    "convert-moftoprovider.exe" ^
+       -MofFile MSFT_FileDirectoryConfiguration.mof ^
+                MSFT_DSCResource.mof ^
+                OMI_Errors.mof ^
+       -ClassList MSFT_FileDirectoryConfiguration ^
+       -IncludePath CIM-2.26.0 ^
+       -ExtraClass OMI_Error ^
+                   MSFT_DSCResource ^
+       -OutPath temp
+    ```
+
+### Step 4: Run the provider generator tool
+
+Run `codegen.cmd`, which runs the `convert-moftoprovider.exe` command. Alternatively, you can run the command directly.
+
+### Step 5: Copy the generated source files
+
+The command in step 3 specifies the `-OutPath` parameter, which in this example is a folder named `temp`. When you run the tool in step 4, it creates new files in this folder. Copy the generated files from this `temp` folder to the project directory. You created the project directory in step 1, which in this example is `MSFT_FileDirectoryConfiguration`.
+
+> [!NOTE]
+> Any time you update the schema MOF file, run the `codegen.cmd` script to regenerate the source files. Rerunning the generator tool overwrites any existing the source files. To prevent this behavior, this example uses a temporary folder. Minimize updates to the schema MOF file since the main implementation should be merged with the most recent auto-generated source files.
+
+### About the `MSFT_FileDirectoryConfiguration` resource
+
+After you run the provider generator tool, it creates several source and header files:
+
+- `MSFT_FileDirectoryConfiguration.c`
+- `MSFT_FileDirectoryConfiguration.h`
+- `module.c`
+- `schema.c`
+- `WMIAdapter.c`
+
+From this list, you only need to modify `MSFT_FileDirectoryConfiguration.c` and `MSFT_FileDirectoryConfiguration.h`. You can also change the extension for the source files from `.c` to `.cpp`, which is the case for this resource. The business logic for this resource is implemented in `MSFT_FileDirectoryConfigurationImp.cpp` and `MSFT_FileDirectoryConfigurationImp.h`. These new files are added to the `MSFT_FileDirectoryConfiguration` project directory after you run the provider generator tool.
+
+For a native desired state configuration resource, you have to implement three autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp`:
+
+- `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource`
+- `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource`
+- `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource`
+
+From these three functions, only `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` is required for a Get scenario. `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource` and `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource` are used when remediation is needed.
+
+There are several other autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp` that don't need implementation for a native desired state configuration resource. You don't need to modify the following functions:
+
+- `MSFT_FileDirectoryConfiguration_Load`
+- `MSFT_FileDirectoryConfiguration_Unload`
+- `MSFT_FileDirectoryConfiguration_EnumerateInstances`
+- `MSFT_FileDirectoryConfiguration_GetInstance`
+- `MSFT_FileDirectoryConfiguration_CreateInstance`
+- `MSFT_FileDirectoryConfiguration_ModifyInstance`
+- `MSFT_FileDirectoryConfiguration_DeleteInstance`
+
+### About `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource`
+
+The `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` function does the following steps to complete its task:
+
+1. Validate the input resource.
+1. Ensure the keys and required parameters are present.
+1. Create a resource instance that is used as the output of the Get method. This instance is of type `MSFT_FileDirectoryConfiguration`, which is derived from `MI_Instance`.
+1. Create the output resource instance from the modified resource instance and return it to the MI client by calling these functions:
+
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Construct`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_SetPtr_OutputResource`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Set_MIReturn`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Post`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Destruct`
+
+1. Clean up resources, for example, free allocated memory.
+
+## MI implementation references
+
+- [Introducing the management infrastructure (MI) API](/archive/blogs/wmi/introducing-new-management-infrastructure-mi-api)
+- [Implementing MI provider (1) - Overview](/archive/blogs/wmi/implementing-mi-provider-1-overview)
+- [Implementing MI provider (2) - Define schema](/archive/blogs/wmi/implementing-mi-provider-2-define-schema)
+- [Implementing MI provider (3) - Generate code](/archive/blogs/wmi/implementing-mi-provider-3-generate-code)
+- [Implementing MI provider (4) - Generate code (continue)](/archive/blogs/wmi/implementing-mi-provider-4-generate-code-continute)
+- [Implementing MI provider (5) - Implement](/archive/blogs/wmi/implementing-mi-provider-5-implement)
+- [Implementing MI provider (6) - Build, register, and debug](/archive/blogs/wmi/implementing-mi-provider-6-build-register-and-debug)
+- [MI interfaces](/previous-versions/windows/desktop/wmi_v2/mi-interfaces)
+- [MI datatypes](/previous-versions/windows/desktop/wmi_v2/mi-datatypes)
+- [MI structures and unions](/previous-versions/windows/desktop/wmi_v2/mi-structures-and-unions)
+- [MI_Result enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_result)
+- [MI_Type enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_type)
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
new file mode 100644
index 0000000000..f655d1ae19
--- /dev/null
+++ b/windows/client-management/declared-configuration.md
@@ -0,0 +1,65 @@
+---
+title: Declared configuration protocol
+description: Learn more about using declared configuration protocol for desired state management of Windows devices.
+ms.date: 09/26/2023
+ms.topic: overview
+---
+
+# What is the declared configuration protocol
+
+The declared configuration protocol is based on a desired state device configuration model, though it still uses the underlying OMA-DM Syncml protocol. Through a dedicated OMA-DM server, it provides all the settings in a single batch through this protocol. The device's declared configuration client stack can reason over the settings to achieve the desired scenario in the most efficient and reliable manner.
+
+The declared configuration protocol requires that a device has a separate [OMA-DM enrollment](mdm-overview.md), which is dependent on the device being enrolled with the primary OMA-DM server. The desired state model is a different model from the current model where the server is responsible for the device's desire state. This dual enrollment is only allowed if the device is already enrolled into a primary MDM server. This other enrollment separates the desired state management functionality from the primary functionality. The declared configuration enrollment's first desired state management model feature is called [extensibility](declared-configuration-extensibility.md).
+
+:::image type="content" source="images/declared-configuration-model.png" alt-text="Diagram illustrating the declared configuration model.":::
+
+With the [Declared Configuration CSP](mdm/declaredconfiguration-csp.md), the OMA-DM server can provide the device with the complete collection of setting names and associated values based on a specified scenario. The declared configuration stack on the device is responsible for handling the configuration request, and maintaining its state including updates to the scenario.
+
+The benefit of the declared configuration desired state model is that it's efficient and accurate, especially since it's the responsibility of the declared configuration client to configure the device. The efficiency of declared configuration is because the client can asynchronously process batches of scenario settings, which free up the server resources to do other work. Thus the declared configuration protocol has low latency. As for configuration quality and accuracy, the declared configuration client stack has detailed knowledge of the configuration surface area of the device. This behavior includes the proper handling of continuous device updates that affect the configuration scenario.
+
+## Declared configuration enrollment
+
+[Mobile Device Enrollment Protocol version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) describes enrollment including discovery, which covers the primary and declared configuration enrollments. The device uses the following new [DMClient CSP](mdm/dmclient-csp.md) policies for declared configuration dual enrollment:
+
+- [LinkedEnrollment/Enroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenroll)
+- [LinkedEnrollment/Unenroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentunenroll)
+- [LinkedEnrollment/EnrollStatus](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenrollstatus)
+- [LinkedEnrollment/LastError](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentlasterror)
+- [LinkedEnrollment/DiscoveryEndpoint](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
+
+The following SyncML example sets **LinkedEnrolment/DiscoveryEndpoint** and triggers **LinkedEnrollment/Enroll**:
+
+```xml
+<SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Replace>
+           <CmdID>2</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/DiscoveryEndpoint</LocURI>
+                </Target>
+         <Data>https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0</Data>
+            </Item>
+        </Replace>
+        <Final/>
+    </SyncBody>
+</SyncML>
+
+<SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Exec>
+            <CmdID>2</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/Enroll</LocURI>
+                </Target>
+           </Item>
+        </Exec>
+        <Final/>
+    </SyncBody>
+</SyncML>
+```
+
+## Related content
+
+- [Declared Configuration extensibility](declared-configuration-extensibility.md)
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 9b12683d3e..00e2645545 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -100,24 +100,26 @@ When the server initiates disconnection, all undergoing sessions for the enrollm
 
 ## Unenrollment from Work Access settings page
 
-If the user is enrolled into MDM using an Azure Active Directory (Azure AD Join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device.
+If the user is enrolled into MDM using a Microsoft Entra ID (Microsoft Entra join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Microsoft Entra association to the device.
 
 You can only use the Work Access page to unenroll under the following conditions:
 
 - Enrollment was done using bulk enrollment.
 - Enrollment was created using the Work Access page.
 
-## Unenrollment from Azure Active Directory Join
+<a name='unenrollment-from-azure-active-directory-join'></a>
 
-When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
+## Unenrollment from Microsoft Entra join
+
+When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenerollment.](images/azure-ad-unenrollment.png)
 
-During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
+During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
 
-Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Azure AD, otherwise the device won't have any admin user after the operation.
+Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation.
 
-In mobile devices, remote unenrollment for Azure Active Directory Joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device.
+In mobile devices, remote unenrollment for Microsoft Entra joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device.
 
 ## IT admin-requested disconnection
 
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index 031f810c1b..e711afcc6a 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -12,29 +12,31 @@ ms.collection:
 
 You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
 
-The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
+The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
 
 **Requirements**:
 
 - The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
 - The enterprise has configured a Mobile Device Management (MDM) service.
-- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
+- The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
+- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
 - The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
-- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
+- The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
+
 
 > [!TIP]
 > For more information, see the following topics:
 >
-> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
-> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
-> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
+> - [How to configure automatic registration of Windows domain-joined devices with Microsoft Entra ID](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+> - [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
+> - [Microsoft Entra integration with MDM](./azure-active-directory-integration-with-mdm.md)
 
-The autoenrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
+The autoenrollment relies on the presence of an MDM service and the Microsoft Entra registration for the PC. Once the enterprise has registered its AD with Microsoft Entra ID, a Windows PC that is domain joined is automatically Microsoft Entra registered.
 
 > [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
 
-When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
 - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
 - Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
@@ -45,7 +47,7 @@ For this policy to work, you must verify that the MDM service provider allows Gr
 
 To configure autoenrollment using a group policy, use the following steps:
 
-1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
+1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Microsoft Entra credentials**.
 1. Create a Security Group for the PCs.
 1. Link the GPO.
 1. Filter using Security Groups.
@@ -85,7 +87,7 @@ This procedure is only for illustration purposes to show how the new autoenrollm
 
 1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
 
-1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
+1. Double-click **Enable automatic MDM enrollment using default Microsoft Entra credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
 
    :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
 
@@ -94,14 +96,14 @@ This procedure is only for illustration purposes to show how the new autoenrollm
    >
    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
 
-When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
 
 If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
 
 :::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
 
 > [!TIP]
-> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
+> You can avoid this behavior by using Conditional Access Policies in Microsoft Entra ID. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
 
 ## Verify enrollment
 
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 56d0b0809b..976b340e5a 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -200,10 +200,10 @@ If you purchased an app from the Store for Business and the app is specified for
 
 Here are the requirements for this scenario:
 
-- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
+- The app is assigned to a user Microsoft Entra identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
 - The device requires connectivity to the Microsoft Store.
 - Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
-- The user must be signed in with their Azure AD identity.
+- The user must be signed in with their Microsoft Entra identity.
 
 Here's an example:
 
@@ -267,7 +267,7 @@ Here are the requirements for this scenario:
 - The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx`).
 - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
 - The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
-- The user must be logged in, but association with Azure AD identity isn't required.
+- The user must be logged in, but association with Microsoft Entra identity isn't required.
 
 > [!NOTE]
 > You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
@@ -384,7 +384,7 @@ Here are the requirements for this scenario:
 - The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx\`)
 - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
 - The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
-- The device doesn't need any Azure AD identity or domain membership.
+- The device doesn't need any Microsoft Entra identity or domain membership.
 - For nonStore app, your device must be unlocked.
 - For Store offline apps, the required licenses must be deployed before deploying the apps.
 
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index 21cae9d2ac..970b5917af 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -14,7 +14,7 @@ The expectations from an MDM are that it uses the same sync mechanism that it us
 
 If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
 
-- Onboard to Azure Active Directory
+- Onboard to Microsoft Entra ID
 - Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for MDM providers to manager eSIM profiles for enterprise use cases. However, Windows doesn't limit how ecosystem partners offer this service to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies.
 
   As an MDM provider, if you're looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties.
diff --git a/windows/client-management/images/declared-configuration-model.png b/windows/client-management/images/declared-configuration-model.png
new file mode 100644
index 0000000000..7708eedf57
Binary files /dev/null and b/windows/client-management/images/declared-configuration-model.png differ
diff --git a/windows/client-management/images/icons/group-policy.svg b/windows/client-management/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/client-management/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/client-management/images/icons/intune.svg b/windows/client-management/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/client-management/images/icons/intune.svg
@@ -0,0 +1,24 @@
+<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0078d4" />
+      <stop offset="0.82" stop-color="#5ea0ef" />
+    </linearGradient>
+    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#1490df" />
+      <stop offset="0.98" stop-color="#1f56a3" />
+    </linearGradient>
+    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#d2ebff" />
+      <stop offset="1" stop-color="#f0fffd" />
+    </linearGradient>
+  </defs>
+  <title>Icon-intune-329</title>
+  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
+  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
+  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
+  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
+  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
+  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
+  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
+</svg>
\ No newline at end of file
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index 2927f3eefe..ae35a82630 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -1,29 +1,31 @@
 ---
-title: Support for mobile application management on Windows
-description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
+title: Support for Windows Information Protection (WIP) on Windows
+description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
 ms.topic: article
 ms.date: 08/10/2023
 ---
 
-# Support for mobile application management on Windows
+# Support for Windows Information Protection (WIP) on Windows
 
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
+Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
 
 [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
 
-## Integration with Azure AD
+<a name='integration-with-azure-ad'></a>
 
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+## Integration with Microsoft Entra ID
 
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices are enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device is enrolled to MAM. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+WIP is integrated with Microsoft Entra identity service. The WIP service supports Microsoft Entra integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Microsoft Entra ID is similar to mobile device management (MDM) integration. See [Microsoft Entra integration with MDM](azure-active-directory-integration-with-mdm.md).
 
-On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
+WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Microsoft Entra account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Microsoft Entra ID, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. A Microsoft Entra join, and enrollment to MDM, should be used to manage corporate devices.
+
+On personal devices, users can add a Microsoft Entra account as a secondary account to the device while keeping their personal account as primary. Users can add a Microsoft Entra account to the device from a supported Microsoft Entra integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add a Microsoft Entra account from **Settings > Accounts > Access work or school**.
 
 Regular non administrator users can enroll to MAM.
 
-## Integration with Windows Information Protection
+## Understand Windows Information Protection
 
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
+WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
 
 To make applications WIP-aware, app developers need to include the following data in the app resource file.
 
@@ -35,26 +37,28 @@ MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID
   END
 ```
 
-## Configuring an Azure AD tenant for MAM enrollment
+<a name='configuring-an-azure-ad-tenant-for-mam-enrollment'></a>
 
-MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration.
+## Configuring a Microsoft Entra tenant for MAM enrollment
+
+MAM enrollment requires integration with Microsoft Entra ID. The MAM service provider needs to publish the Management MDM app to the Microsoft Entra app gallery. The same cloud-based Management MDM app in Microsoft Entra ID supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration.
 
 :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
 
-MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM.
+MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Microsoft Entra Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Microsoft Entra ID: one for MAM and one for MDM.
 
 > [!NOTE]
-> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
+> If the MDM service in an organization isn't integrated with Microsoft Entra ID and uses auto-discovery, only one Management app for MAM needs to be configured.
 
 ## MAM enrollment
 
-MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
+MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Microsoft Entra ID [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
 
 These are the protocol changes for MAM enrollment:
 
 - MDM discovery isn't supported.
 - APPAUTH node in [DMAcc CSP](mdm/dmacc-csp.md) is optional.
-- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication.
+- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use a Microsoft Entra token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication.
 
 Here's an example provisioning XML for MAM enrollment.
 
@@ -74,7 +78,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
 
 ## Supported CSPs
 
-MAM on Windows supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
+WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
 
 - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
 - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
@@ -104,7 +108,7 @@ We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies f
 
 ## Policy sync
 
-MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to authenticate to the service for policy syncs.
+MAM policy syncs are modeled after MDM. The MAM client uses a Microsoft Entra token to authenticate to the service for policy syncs.
 
 ## Change MAM enrollment to MDM
 
@@ -121,4 +125,4 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f
 - EDP CSP Enterprise ID is the same for both MAM and MDM.
 - EDP CSP RevokeOnMDMHandoff is set to false.
 
-If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected.
+If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Microsoft Entra account won't be affected.
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 9501d46c0a..40f4cb654f 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -12,10 +12,10 @@ metadata:
   ms.collection:
     - highpri
     - tier1
-  author: aczechowski
-  ms.author: aaroncz
+  author: vinaypamnani-msft
+  ms.author: vinpa
   manager: aaroncz
-  ms.date: 04/13/2023
+  ms.date: 09/26/2023
   localization_priority: medium
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -32,33 +32,28 @@ landingContent:
             url: mdm-overview.md
       - linkListType: concept
         links:
-          - text: MDM for device updates
-            url: device-update-management.md
-          - text: Enterprise settings, policies, and app management
+          - text: Manage settings
             url: windows-mdm-enterprise-settings.md
-          - text: Windows Tools/Administrative Tools
-            url: client-tools/administrative-tools-in-windows.md
-          - text: Create mandatory user profiles
-            url: client-tools/mandatory-user-profile.md
+          - text: Manage updates
+            url: device-update-management.md
+          - text: Manage apps
+            url: enterprise-app-management.md
+          - text: Manage Copilot in Windows
+            url: manage-windows-copilot.md
 
-  - title: Device enrollment
+  - title: Copilot in Windows
     linkLists:
-      - linkListType: overview
-        links:
-          - text: Mobile device enrollment
-            url: mobile-device-enrollment.md
-      - linkListType: concept
-        links:
-          - text: Enroll Windows devices
-            url: mdm-enrollment-of-windows-devices.md
-          - text: Automatic enrollment using Azure AD
-            url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
-          - text: Automatic enrollment using group policy
-            url: enroll-a-windows-10-device-automatically-using-group-policy.md
-          - text: Bulk enrollment
-            url: bulk-enrollment-using-windows-provisioning-tool.md
+      - links:
+          - text: Manage Copilot in Windows
+            url: manage-windows-copilot.md
+        linkListType: how-to-guide
+      - links:
+          - text: Welcome overview
+            url: https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0
+          - text: Your data and privacy
+            url: https://support.microsoft.com/windows/privacy-in-windows-copilot-3e265e82-fc76-4d0a-afc0-4a0de528b73a
+        linkListType: overview
 
-  # Card (optional)
   - title: Configuration service provider reference
     linkLists:
       - linkListType: overview
@@ -82,8 +77,36 @@ landingContent:
           - text: Policy CSP - Update
             url: mdm/policy-csp-update.md
 
+  - title: Device enrollment
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: Mobile device enrollment
+            url: mobile-device-enrollment.md
+      - linkListType: concept
+        links:
+          - text: Enroll Windows devices
+            url: mdm-enrollment-of-windows-devices.md
+          - text: Automatic enrollment using Microsoft Entra ID
+            url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+          - text: Automatic enrollment using group policy
+            url: enroll-a-windows-10-device-automatically-using-group-policy.md
+          - text: Bulk enrollment
+            url: bulk-enrollment-using-windows-provisioning-tool.md
+
+  - title: Client management tools
+    linkLists:
+      - linkListType: learn
+        links:
+          - text: Windows Tools/Administrative Tools
+            url: client-tools/administrative-tools-in-windows.md
+          - text: Use Quick assist
+            url: client-tools/quick-assist.md
+          - text: Connect to Microsoft Entra devices
+            url: client-tools/connect-to-remote-aadj-pc.md
+          - text: Create mandatory user profiles
+            url: client-tools/mandatory-user-profile.md
 
-  # Card (optional)
   - title: Troubleshoot Windows clients
     linkLists:
       - linkListType: how-to-guide
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 5b432d5e1d..7129573f55 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -12,13 +12,6 @@ Use of personal devices for work, and employees working outside the office, may
 
 Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster.
 
-This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
-
-> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
-
-> [!NOTE]
-> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
-
 This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle:
 
 - [Deployment and Provisioning](#deployment-and-provisioning)
@@ -32,7 +25,7 @@ Windows offers a range of management options, as shown in the following diagram:
 
 :::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
 
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft 365.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Microsoft Entra ID, Azure Information Protection, and Microsoft 365.
 
 ## Deployment and provisioning
 
@@ -48,21 +41,21 @@ You have multiple options for [upgrading to Windows 10 and Windows 11](/windows/
 
 ## Identity and authentication
 
-You can use Windows and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows and services like [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
 
 You can envision user and device management as falling into these two categories:
 
 - **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices:
 
-  - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
+  - For corporate devices, they can set up corporate access with [Microsoft Entra join](/azure/active-directory/devices/overview). When you offer them Microsoft Entra join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
 
-    Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+    Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
 
   - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
 
 - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
 
-  With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
+  With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Microsoft Entra ID](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Microsoft Entra ID. This registration provides:
 
   - Single sign-on to cloud and on-premises resources from everywhere
   - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
@@ -72,7 +65,7 @@ You can envision user and device management as falling into these two categories
 
   Domain joined PCs and tablets can continue to be managed with [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
 
-As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
+As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Microsoft Entra ID.
 
 :::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
 
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
new file mode 100644
index 0000000000..bc4adbca9d
--- /dev/null
+++ b/windows/client-management/manage-windows-copilot.md
@@ -0,0 +1,31 @@
+---
+title: Manage Copilot in Windows
+description: Learn how to manage Copilot in Windows using MDM and group policy.
+ms.topic: article
+ms.date: 10/16/2023
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Manage Copilot in Windows
+
+Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications.
+
+This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
+
+## Turn off Copilot in Windows
+
+This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
+
+|                  | Setting                                                                                                 |
+|------------------|---------------------------------------------------------------------------------------------------------|
+| **CSP**          | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
+| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
+
+
+
+## Related articles
+
+- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0)
+
+- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a)
diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md
index 08c2a6ed6b..c3dd757bb5 100644
--- a/windows/client-management/mdm-diagnose-enrollment.md
+++ b/windows/client-management/mdm-diagnose-enrollment.md
@@ -17,7 +17,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
    :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
 
-1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Microsoft Entra ID and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
     ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
 
@@ -28,7 +28,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
 1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
 
-1. Autoenrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
+1. Autoenrollment into Intune via Group Policy is valid only for devices that are Microsoft Entra hybrid joined. This condition means that the device must be joined into both local Active Directory and Microsoft Entra ID. To verify that the device is Microsoft Entra hybrid joined, run `dsregcmd /status` from the command line.
 
     You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
 
@@ -36,9 +36,9 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
     Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
 
-    ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png)
+    ![Auto-enrollment Microsoft Entra prt verification.](images/auto-enrollment-azureadprt-verification.png)
 
-    This information can also be found on the Azure AD device list.
+    This information can also be found on the Microsoft Entra device list.
 
 1. Verify that the MDM discovery URL during autoenrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`.
 
@@ -48,7 +48,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
    :::image type="content" alt-text="Screenshot of Mobility setting MDM Intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
 
-1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully.
+1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Microsoft Entra credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully.
 
 1. Verify that Microsoft Intune allows enrollment of Windows devices.
 
@@ -79,14 +79,14 @@ If you can't find event ID 75 in the logs, it indicates that the autoenrollment
 
 - The autoenrollment didn't trigger at all. In this case, you won't find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described here:
 
-   The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
+   The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Microsoft Entra credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
 
    :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
 
    > [!NOTE]
    > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
 
-   This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107.
+   This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID is triggered by event ID 107.
 
    :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
 
@@ -96,7 +96,7 @@ If you can't find event ID 75 in the logs, it indicates that the autoenrollment
 
    The task scheduler log displays event ID 102 (task completed) regardless of the autoenrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the autoenrollment task is triggered or not. It doesn't indicate the success or failure of autoenrollment.
 
-   If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
+   If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
    One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
 
    :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index 9c772124fe..ef09eea68f 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -17,16 +17,18 @@ In today's cloud-first world, enterprise IT departments increasingly want to let
 
 ## Connect corporate-owned Windows devices
 
-You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
+You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to a Microsoft Entra domain. Windows doesn't require a personal Microsoft account on devices joined to Microsoft Entra ID or an on-premises Active Directory domain.
 
-![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png)
+![active directory Microsoft Entra sign-in.](images/unifiedenrollment-rs1-1.png)
 
 > [!NOTE]
 > For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md).
 
-### Connect your device to an Azure AD domain (join Azure AD)
+<a name='connect-your-device-to-an-azure-ad-domain-join-azure-ad'></a>
 
-All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app.
+### Connect your device to a Microsoft Entra domain (join Microsoft Entra ID)
+
+All Windows devices can be connected to a Microsoft Entra domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to a Microsoft Entra domain using the Settings app.
 
 #### Out-of-box-experience
 
@@ -36,19 +38,19 @@ To join a domain:
 
     ![oobe - local account creation](images/unifiedenrollment-rs1-11.png)
 
-1. Select **Join Azure AD**, and then select **Next.**
+1. Select **Join Microsoft Entra ID**, and then select **Next.**
 
-    ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png)
+    ![choose the domain or Microsoft Entra ID](images/unifiedenrollment-rs1-12.png)
 
-1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services.
+1. Type in your Microsoft Entra username. This username is the email address you use to log into Microsoft Office 365 and similar services.
 
     If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you're able to enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain.
+    If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Microsoft Entra domain.
 
-    ![azure ad signin.](images/unifiedenrollment-rs1-13.png)
+    ![Microsoft Entra sign-in during OOBE.](images/unifiedenrollment-rs1-13.png)
 
 #### Use the Settings app
 
@@ -70,36 +72,38 @@ To create a local account and connect the device:
 
     ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png)
 
-1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**.
+1. Under **Alternate Actions**, select **Join this device to Microsoft Entra ID**.
 
-    ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
+    ![option to join work or school account to Microsoft Entra ID](images/unifiedenrollment-rs1-18.png)
 
-1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
+1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services.
 
-    ![azure ad sign in.](images/unifiedenrollment-rs1-19.png)
+    ![Microsoft Entra sign-in using Settings app.](images/unifiedenrollment-rs1-19.png)
 
     If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM.
+    If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM.
 
-    After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username.
+    After you reach the end of the flow, your device should be connected to your organization's Microsoft Entra domain. You may now sign out of your current account and sign in using your Microsoft Entra username.
 
     ![corporate sign in screen](images/unifiedenrollment-rs1-20.png)
 
-#### Help with connecting to an Azure AD domain
+<a name='help-with-connecting-to-an-azure-ad-domain'></a>
 
-There are a few instances where your device can't be connected to an Azure AD domain.
+#### Help with connecting to a Microsoft Entra domain
+
+There are a few instances where your device can't be connected to a Microsoft Entra domain.
 
 | Connection issue | Description |
 |--|--|
-| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. |
-| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. |
-| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. |
-| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You must switch to an administrator account to continue. |
-| Your device is already managed by MDM. | The connect to Azure AD flow attempts to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
-| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to an Azure AD domain. You must upgrade to Pro, Enterprise, or Education edition to continue. |
+| Your device is connected to a Microsoft Entra domain. | Your device can only be connected to a single Microsoft Entra domain at a time. |
+| Your device is already connected to an Active Directory domain. | Your device can either be connected to a Microsoft Entra domain or an Active Directory domain. You can't connect to both simultaneously. |
+| Your device already has a user connected to a work account. | You can either connect to a Microsoft Entra domain or connect to a work or school account. You can't connect to both simultaneously. |
+| You're logged in as a standard user. | Your device can only be connected to a Microsoft Entra domain if you're logged in as an administrative user. You must switch to an administrator account to continue. |
+| Your device is already managed by MDM. | The connect to Microsoft Entra ID flow attempts to enroll your device into MDM if your Microsoft Entra tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Microsoft Entra ID in this case. |
+| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to a Microsoft Entra domain. You must upgrade to Pro, Enterprise, or Education edition to continue. |
 
 ## Connect personally owned devices
 
@@ -107,7 +111,9 @@ Personally owned devices, also known as bring your own device (BYOD), can be con
 
 All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
 
-### Register device in Azure AD and enroll in MDM
+<a name='register-device-in-azure-ad-and-enroll-in-mdm'></a>
+
+### Register device in Microsoft Entra ID and enroll in MDM
 
 To create a local account and connect the device:
 
@@ -123,15 +129,15 @@ To create a local account and connect the device:
 
     ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png)
 
-1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
+1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services.
 
-    ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png)
+    ![sync work or school account to Azure AD.](images/unifiedenrollment-rs1-25-b.png)
 
 1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only).
+    If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only).
 
     You can see the status page that shows the progress of your device being set up.
 
@@ -147,8 +153,8 @@ There are a few instances where your device may not be able to connect to work.
 
 | Error Message | Description |
 |--|--|
-| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
-| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. |
+| Your device is already connected to your organization's cloud. | Your device is already connected to either Microsoft Entra ID, a work or school account, or an AD domain. |
+| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Microsoft Entra tenant. |
 | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. |
 | You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
 | We couldn't autodiscover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
@@ -195,7 +201,7 @@ The deep link used for connecting your device to work uses the following format.
 
 | Parameter | Description | Supported Value for Windows |
 |--|--|--|
-| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. |
+| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Microsoft Entra joined. |
 | username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string |
 | servername | Specifies the MDM server URL that is used to enroll the device. | string |
 | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string |
@@ -248,7 +254,7 @@ To manage your work or school connections, select **Settings** > **Accounts** >
 
 The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios:
 
-- Connecting your device to an Azure AD domain that has autoenroll into MDM configured.
+- Connecting your device to a Microsoft Entra domain that has autoenroll into MDM configured.
 - Connecting your device to a work or school account that has autoenroll into MDM configured.
 - Connecting your device to MDM.
 
@@ -263,7 +269,7 @@ Selecting the **Info** button shows a list of policies and line-of-business apps
 The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button removes the connection from the device. There are a few exceptions to this functionality:
 
 - Devices that enforce the AllowManualMDMUnenrollment policy don't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
-- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device.
+- On mobile devices, you can't disconnect from Microsoft Entra ID. These connections can only be removed by wiping the device.
 
 > [!WARNING]
 > Disconnecting might result in the loss of data on the device.
diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md
index 7676911fc4..3b715665e0 100644
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@@ -33,7 +33,7 @@ When the Windows device is configured to use a proxy that requires authenticatio
 
 Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server.
 
-Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device.
+Remote server unenrollment is disabled for mobile devices enrolled via Microsoft Entra join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Microsoft Entra joined is by remotely wiping the device.
 
 ## Certificates causing issues with Wi-Fi and VPN
 
@@ -222,9 +222,11 @@ Alternatively you can use the following procedure to create an EAP Configuration
 
 After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
 
-## User provisioning failure in Azure Active Directory-joined devices
+<a name='user-provisioning-failure-in-azure-active-directory-joined-devices'></a>
 
-For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
+## User provisioning failure in Microsoft Entra joined devices
+
+For Microsoft Entra joined devices, provisioning `.\User` resources fails when the user isn't logged in as a Microsoft Entra user. If you attempt to join Microsoft Entra ID from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Microsoft Entra credentials to get your organizational configuration from your MDM server. This behavior is by design.
 
 ## Requirements to note for VPN certificates also used for Kerberos Authentication
 
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index ceca839aaa..4777c1d28c 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -31,7 +31,7 @@ Microsoft provides MDM security baselines that function like the Microsoft group
 
 The MDM security baseline includes policies that cover the following areas:
 
-- Microsoft inbox security technologies (not deprecated) such as BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus, and Firewall
+- Microsoft inbox security technologies (not deprecated) such as **BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus,** and **Firewall**
 - Restricting remote access to devices
 - Setting credential requirements for passwords and PINs
 - Restricting use of legacy technology
@@ -56,16 +56,18 @@ For information about the MDM policies defined in the Intune security baseline,
 
 No. Only one MDM is allowed.
 
-### How do I set the maximum number of Azure Active Directory-joined devices per user?
+<a name='how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user'></a>
+
+### How do I set the maximum number of Microsoft Entra joined devices per user?
 
 1. Sign in to the portal as tenant admin: <https://portal.azure.com>.
-1. Navigate to **Azure AD**, then **Devices**, and then select **Device Settings**.
+1. Navigate to **Microsoft Entra ID**, then **Devices**, and then select **Device Settings**.
 1. Change the number under **Maximum number of devices per user**.
 
 ### What is dmwappushsvc?
 
 | Entry | Description |
 | --------------- | -------------------- |
-| What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
-| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. |
-| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service causes your management to fail. |
+| What is dmwappushsvc? | It's a Windows service that ships in the Windows operating system as a part of the Windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and is involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. |
+| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and  is required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service causes your management to fail. |
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 9e3a505d95..86ff222dcc 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -46,7 +46,7 @@ Root node.
 Interior node for the account domain information.
 
 <a href="" id="domain-computername"></a>**Domain/ComputerName**
-This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
+This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Microsoft Entra ID and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
 
 Available naming macros:
 
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index f5d9653eed..3d54daff21 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -236,7 +236,7 @@ The expected values for this policy are:
 
 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
 
-0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Azure Active Directory joined devices.
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices.
 
 Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@@ -244,12 +244,12 @@ Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Microsoft Entra account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
 >
 > The endpoint for a fixed data drive's backup is chosen in the following order:
 >
 > 1. The user's Windows Server Active Directory Domain Services account.
-> 2. The user's Azure Active Directory account.
+> 2. The user's Microsoft Entra account.
 > 3. The user's personal OneDrive (MDM/MAM only).
 >
 > Encryption will wait until one of these three locations backs up successfully.
@@ -270,7 +270,7 @@ Windows will attempt to silently enable BitLocker for value 0.
 
 | Value | Description |
 |:--|:--|
-| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. |
+| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. |
 | 1 (Default) | Warning prompt allowed. |
 <!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
 
@@ -312,9 +312,9 @@ Windows will attempt to silently enable BitLocker for value 0.
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices.
 
-When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
 
 For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
 
@@ -322,8 +322,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
 
 Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 
-1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
-2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices.
+1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
+2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@@ -346,8 +346,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Refresh off (default). |
-| 1 | Refresh on for Azure AD-joined devices. |
-| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. |
+| 1 | Refresh on for Microsoft Entra joined devices. |
+| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. |
 <!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@@ -1269,7 +1269,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
 
 <!-- Device-RotateRecoveryPasswords-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device.
 
 This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
 
@@ -1401,7 +1401,7 @@ This value represents a bitmask with each bit and the corresponding error code d
 | 8 |Recovery key backup failed.|
 | 9 |A fixed drive is unprotected.|
 | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
-| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
+| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Microsoft Entra ID, the AllowStandardUserEncryption policy must be set to 1.|
 | 12 |Windows Recovery Environment (WinRE) isn't configured.|
 | 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
 | 14 |The TPM isn't ready for BitLocker.|
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 48a1d87c37..a1936f909b 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the ClientCertificateInstall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -165,7 +165,7 @@ Required for PFX certificate installation. A unique ID to differentiate differen
 
 Format is node.
 
-Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
 <!-- Device-PFXCertInstall-{UniqueID}-Description-End -->
 
 <!-- Device-PFXCertInstall-{UniqueID}-Editable-Begin -->
@@ -385,7 +385,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro
 <!-- Description-Source-DDF -->
 Optional.
 
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
 <!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Description-End -->
 
 <!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Editable-Begin -->
@@ -653,7 +653,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed.
 <!-- Description-Source-DDF -->
 Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
 
-Calling Delete on the this node, should delete the corresponding SCEP certificate.
+Calling Delete on this node, should delete the corresponding SCEP certificate.
 <!-- Device-SCEP-{UniqueID}-Description-End -->
 
 <!-- Device-SCEP-{UniqueID}-Editable-Begin -->
@@ -813,7 +813,7 @@ Required for SCEP certificate enrollment. Parent node to group SCEP cert install
 
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Microsoft Entra ID Key present on the device. If no match is found, enrollment will fail.
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-End -->
 
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Editable-Begin -->
@@ -1274,7 +1274,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for
 
 <!-- Device-SCEP-{UniqueID}-Install-RetryCount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
+Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
 
 The min value is 0 which means no retry.
 <!-- Device-SCEP-{UniqueID}-Install-RetryCount-Description-End -->
@@ -1741,7 +1741,7 @@ Required for PFX certificate installation. A unique ID to differentiate differen
 
 Format is node.
 
-Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
 <!-- User-PFXCertInstall-{UniqueID}-Description-End -->
 
 <!-- User-PFXCertInstall-{UniqueID}-Editable-Begin -->
@@ -1961,7 +1961,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro
 <!-- Description-Source-DDF -->
 Optional.
 
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
 <!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Description-End -->
 
 <!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Editable-Begin -->
@@ -2227,7 +2227,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed.
 <!-- Description-Source-DDF -->
 Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
 
-Calling Delete on the this node, should delete the corresponding SCEP certificate.
+Calling Delete on this node, should delete the corresponding SCEP certificate.
 <!-- User-SCEP-{UniqueID}-Description-End -->
 
 <!-- User-SCEP-{UniqueID}-Editable-Begin -->
@@ -2387,7 +2387,7 @@ Required for SCEP certificate enrollment. Parent node to group SCEP cert install
 
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Microsoft Entra ID Key present on the device. If no match is found, enrollment will fail.
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-End -->
 
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Editable-Begin -->
@@ -2848,7 +2848,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for
 
 <!-- User-SCEP-{UniqueID}-Install-RetryCount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
+Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
 
 The min value is 0 which means no retry.
 <!-- User-SCEP-{UniqueID}-Install-RetryCount-Description-End -->
diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md
index 050f915ba6..81b438b379 100644
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -46,7 +46,7 @@ The following list shows the CloudDesktop configuration service provider nodes:
 
 <!-- Device-EnableBootToCloudSharedPCMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
+Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling Boot to Cloud Shared PC feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
 <!-- Device-EnableBootToCloudSharedPCMode-Description-End -->
 
 <!-- Device-EnableBootToCloudSharedPCMode-Editable-Begin -->
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 121ac1c046..ad995b441b 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -20,7 +20,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
 
 As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
 
-- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
+- [DDF v2 Files, September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
 
 ## DDF v2 schema
 
@@ -582,6 +582,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
 
 You can download the older DDF files for various CSPs from the links below:
 
+- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
 - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1809](https://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip)
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
new file mode 100644
index 0000000000..ac422bfdcc
--- /dev/null
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -0,0 +1,1049 @@
+---
+title: DeclaredConfiguration CSP
+description: Learn more about the DeclaredConfiguration CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 09/27/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- DeclaredConfiguration-Begin -->
+# DeclaredConfiguration CSP
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+<!-- DeclaredConfiguration-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The primary MDM model is one where the MDM server is solely responsible for orchestration and continuous maintenance of the state of the device for configuration scenarios. This behavior results in intensive network traffic and high network latency due to the synchronous configuration model based on the OMA-DM Syncml standard. It's also error-prone given that the server needs deep knowledge of the client.
+
+The declared configuration device management model requires the server to deliver all the setting values to the device for the scenario configuration. The server sends them asynchronously in batches through the client declared configuration CSP.
+
+- During the client-initiated OMA-DM session, the declared configuration server sends a configuration or an inventory declared configuration document to the client through the [Declared Configuration CSP URI](#declared-configuration-oma-uri). If the device verifies the syntax of the document is correct, the client stack pushes the request to its orchestrator to process the request asynchronously. The client stack then exits, and returns control back to the declared configuration service. This behavior allows the device to asynchronously process the request.
+
+- On the client, if there are any requests in process or completed, it sends a [generic alert](#declared-configuration-generic-alert) to the server. This alert summarizes each document's status, state, and progress. Every client HTTPS request to the declared configuration OMA-DM server includes this summary.
+
+- The declared configuration server uses the generic alert to determine which requests are completed successfully or with errors. The server can then synchronously retrieve the declared configuration document process results through the [Declared Configuration CSP URI](#declared-configuration-oma-uri).
+<!-- DeclaredConfiguration-Editable-End -->
+
+<!-- DeclaredConfiguration-Tree-Begin -->
+The following list shows the DeclaredConfiguration configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/DeclaredConfiguration
+  - [Host](#host)
+    - [Complete](#hostcomplete)
+      - [Documents](#hostcompletedocuments)
+        - [{DocID}](#hostcompletedocumentsdocid)
+          - [Document](#hostcompletedocumentsdociddocument)
+          - [Properties](#hostcompletedocumentsdocidproperties)
+            - [Abandoned](#hostcompletedocumentsdocidpropertiesabandoned)
+      - [Results](#hostcompleteresults)
+        - [{DocID}](#hostcompleteresultsdocid)
+          - [Document](#hostcompleteresultsdociddocument)
+    - [Inventory](#hostinventory)
+      - [Documents](#hostinventorydocuments)
+        - [{DocID}](#hostinventorydocumentsdocid)
+          - [Document](#hostinventorydocumentsdociddocument)
+      - [Results](#hostinventoryresults)
+        - [{DocID}](#hostinventoryresultsdocid)
+          - [Document](#hostinventoryresultsdociddocument)
+<!-- DeclaredConfiguration-Tree-End -->
+
+<!-- Device-Host-Begin -->
+## Host
+
+<!-- Device-Host-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Applicability-End -->
+
+<!-- Device-Host-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host
+```
+<!-- Device-Host-OmaUri-End -->
+
+<!-- Device-Host-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Host internal node indicates that the target of the configuration request or inventory request is the host OS. This node is for scope in case enclaves are ever targeted for configuration.
+<!-- Device-Host-Description-End -->
+
+<!-- Device-Host-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Editable-End -->
+
+<!-- Device-Host-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-DFProperties-End -->
+
+<!-- Device-Host-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Examples-End -->
+
+<!-- Device-Host-End -->
+
+<!-- Device-Host-Complete-Begin -->
+### Host/Complete
+
+<!-- Device-Host-Complete-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Applicability-End -->
+
+<!-- Device-Host-Complete-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete
+```
+<!-- Device-Host-Complete-OmaUri-End -->
+
+<!-- Device-Host-Complete-Description-Begin -->
+<!-- Description-Source-DDF -->
+This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+<!-- Device-Host-Complete-Description-End -->
+
+<!-- Device-Host-Complete-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The server to client flow of the **Complete** request is the same as an **Inventory** request.
+<!-- Device-Host-Complete-Editable-End -->
+
+<!-- Device-Host-Complete-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Complete-DFProperties-End -->
+
+<!-- Device-Host-Complete-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Examples-End -->
+
+<!-- Device-Host-Complete-End -->
+
+<!-- Device-Host-Complete-Documents-Begin -->
+#### Host/Complete/Documents
+
+<!-- Device-Host-Complete-Documents-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents
+```
+<!-- Device-Host-Complete-Documents-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Documents node indicates that the configuration is in the form of a document, which is a collection of settings used to configure a scenario by the Declared Configuration stack.
+<!-- Device-Host-Complete-Documents-Description-End -->
+
+<!-- Device-Host-Complete-Documents-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Complete-Documents-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Begin -->
+##### Host/Complete/Documents/{DocID}
+
+<!-- Device-Host-Complete-Documents-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}
+```
+<!-- Device-Host-Complete-Documents-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the configuration document. No other document can have this id. The Id should be a GUID.
+<!-- Device-Host-Complete-Documents-{DocID}-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}` |
+<!-- Device-Host-Complete-Documents-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Begin -->
+###### Host/Complete/Documents/{DocID}/Document
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Document
+```
+<!-- Device-Host-Complete-Documents-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Host-Complete-Documents-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Begin -->
+###### Host/Complete/Documents/{DocID}/Properties
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Properties
+```
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Properties node encapsulates the list of properties that apply to the specified document referenced by [DocID].
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Begin -->
+###### Host/Complete/Documents/{DocID}/Properties/Abandoned
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Properties/Abandoned
+```
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Abandoned node allows the OMA-DM server to indicate that the document is no longer managed.
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | The document is no longer managed. |
+| 1 | The document is managed. |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-AllowedValues-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-End -->
+
+<!-- Device-Host-Complete-Results-Begin -->
+#### Host/Complete/Results
+
+<!-- Device-Host-Complete-Results-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Results-Applicability-End -->
+
+<!-- Device-Host-Complete-Results-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results
+```
+<!-- Device-Host-Complete-Results-OmaUri-End -->
+
+<!-- Device-Host-Complete-Results-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Results node indicates that this is part of the URI path that will return an XML document containing the results of the configuration request.
+<!-- Device-Host-Complete-Results-Description-End -->
+
+<!-- Device-Host-Complete-Results-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-Editable-End -->
+
+<!-- Device-Host-Complete-Results-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Host-Complete-Results-DFProperties-End -->
+
+<!-- Device-Host-Complete-Results-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-Examples-End -->
+
+<!-- Device-Host-Complete-Results-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Begin -->
+##### Host/Complete/Results/{DocID}
+
+<!-- Device-Host-Complete-Results-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Results-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/{DocID}
+```
+<!-- Device-Host-Complete-Results-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the configuration document in which results of the configuration request will be returned.
+<!-- Device-Host-Complete-Results-{DocID}-Description-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Editable-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Host-Complete-Results-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Examples-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Begin -->
+###### Host/Complete/Results/{DocID}/Document
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Results-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/{DocID}/Document
+```
+<!-- Device-Host-Complete-Results-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of setting results from the configuration request specified by [DocId].
+<!-- Device-Host-Complete-Results-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+<!-- Device-Host-Complete-Results-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-End -->
+
+<!-- Device-Host-Inventory-Begin -->
+### Host/Inventory
+
+<!-- Device-Host-Inventory-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Applicability-End -->
+
+<!-- Device-Host-Inventory-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory
+```
+<!-- Device-Host-Inventory-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Inventory internal node indicates that this is an inventory request. The setting values to be retrieved are specified in an XML document through the Document leaf node.
+<!-- Device-Host-Inventory-Description-End -->
+
+<!-- Device-Host-Inventory-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The server to client flow of the **Inventory** request is the same as the **Complete** request.
+<!-- Device-Host-Inventory-Editable-End -->
+
+<!-- Device-Host-Inventory-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Inventory-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Examples-End -->
+
+<!-- Device-Host-Inventory-End -->
+
+<!-- Device-Host-Inventory-Documents-Begin -->
+#### Host/Inventory/Documents
+
+<!-- Device-Host-Inventory-Documents-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Documents-Applicability-End -->
+
+<!-- Device-Host-Inventory-Documents-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents
+```
+<!-- Device-Host-Inventory-Documents-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Documents-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Documents node indicates that the inventory request is in the form of a document, which is a collection of settings used to retrieve their values.
+<!-- Device-Host-Inventory-Documents-Description-End -->
+
+<!-- Device-Host-Inventory-Documents-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-Editable-End -->
+
+<!-- Device-Host-Inventory-Documents-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Inventory-Documents-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Documents-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-Examples-End -->
+
+<!-- Device-Host-Inventory-Documents-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Begin -->
+##### Host/Inventory/Documents/{DocID}
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Documents-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/{DocID}
+```
+<!-- Device-Host-Inventory-Documents-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+<!-- Device-Host-Inventory-Documents-{DocID}-Description-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Editable-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}` |
+<!-- Device-Host-Inventory-Documents-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Examples-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Begin -->
+###### Host/Inventory/Documents/{DocID}/Document
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/{DocID}/Document
+```
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-End -->
+
+<!-- Device-Host-Inventory-Results-Begin -->
+#### Host/Inventory/Results
+
+<!-- Device-Host-Inventory-Results-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Results-Applicability-End -->
+
+<!-- Device-Host-Inventory-Results-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results
+```
+<!-- Device-Host-Inventory-Results-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Results-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Results node indicates that this is part of the URI path that will return an XML document containing the results of the inventory request.
+<!-- Device-Host-Inventory-Results-Description-End -->
+
+<!-- Device-Host-Inventory-Results-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-Editable-End -->
+
+<!-- Device-Host-Inventory-Results-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Host-Inventory-Results-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Results-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-Examples-End -->
+
+<!-- Device-Host-Inventory-Results-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Begin -->
+##### Host/Inventory/Results/{DocID}
+
+<!-- Device-Host-Inventory-Results-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Results-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/{DocID}
+```
+<!-- Device-Host-Inventory-Results-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+<!-- Device-Host-Inventory-Results-{DocID}-Description-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Editable-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Host-Inventory-Results-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Examples-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Begin -->
+###### Host/Inventory/Results/{DocID}/Document
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/{DocID}/Document
+```
+<!-- Device-Host-Inventory-Results-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of setting results from the inventory request specified by [DocId].
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+<!-- Device-Host-Inventory-Results-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-End -->
+
+<!-- DeclaredConfiguration-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+## Declared configuration OMA URI
+
+A declared configuration request is sent using an OMA-URI similar to `./Device/Vendor/MSFT/DeclaredConfiguration/Host/[Complete|Inventory]/Documents/{DocID}/Document`.
+
+- The URI is prefixed with a targeted scope. The target of the scenario settings can only be device wide for extensibility. The scope should be `Device`.
+- `{DocID}` is a unique identifier for the desired state of the configuration scenario. Every document must have an ID, which must be a GUID.
+- The request can be a **Configuration**, **Inventory**, or **Complete** request.
+
+The following URI is an example of a **Complete** request: `./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document`
+
+## DeclaredConfiguration document XML
+
+The value of the leaf node `Document` is an XML document that describes the request. The actual processing of the request pivots around the `osdefinedscenario` tag:
+
+- `MSFTExtensibilityMIProviderConfig`: Used to configure MI provider settings.
+- `MSFTExtensibilityMIProviderInventory`:  Used to retrieve MI provider setting values.
+
+The DeclaredConfiguration CSP synchronously validates the batch of settings described by the `<DeclaredConfiguration>` element, which represents the declared configuration document. It checks for correct syntax based on the declared configuration XML schema. If there's a syntax error, the CSP returns an error immediately back to the server as part of the current OMA-DM session. If the syntax check passes, then the request is passed on to a Windows service. The Windows service asynchronously attempts the desired state configuration of the specified scenario. This process frees up the server to do other work thus the low latency of this  declared configuration protocol. The Windows client service, the orchestrator, is responsible for driving the configuration of the device based on the server supplied desire state. The service also maintains this state throughout its lifetime, until the server removes or modifies it.
+
+The following example uses the built-in, native MI provider `MSFT_FileDirectoryConfiguration` with the OS-defined scenario `MSFTExtensibilityMIProviderConfig`:
+
+```xml
+<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
+    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
+        <Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
+        <Value name="Contents">TestFileContentBlah</Value>
+    </DSC>
+</DeclaredConfiguration>
+```
+
+The standard OMA-DM SyncML syntax is used to specify the DeclaredConfiguration CSP operations such as **Replace**, **Set**, and **Delete**. The payload of the SyncML's `<Data>` element must be XML-encoded. For this XML encoding, there are various online encoders that you can use. To avoid encoding the payload, you can use [CDATA Section](https://www.w3.org/TR/REC-xml/#sec-cdata-sect) as shown in the following example:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.1">
+  <SyncBody>
+    <Replace>
+      <CmdID>14</CmdID>
+      <Item>
+        <Target>
+          <LocURI> ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/99988660-9080-3433-96e8-f32e85011999/Document</LocURI>
+        </Target>
+        <Data>
+          <![CDATA[<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
+                <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
+                    <Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
+                    <Value name="Contents">TestFileContentBlah</Value>
+                </DSC>
+            </DeclaredConfiguration>]]>
+        </Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+### DeclaredConfiguration XML document tags
+
+Both `MSFTExtensibilityMIProviderConfig` and `MSFTExtensibilityMIProviderInventory` are OS-defined scenarios that require the same tags and attributes.
+
+- The `<DeclaredConfiguration>` XML tag specifies the details of the declared configuration document to process. The document could be part of a configuration request or an inventory request. The DeclaredConfiguration CSP has two URIs to allow the specification of a configuration or an inventory request.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `schema` | The schema version of the xml. Currently `1.0`. |
+    | `context` | States that this document is targeting the device. The value should be `Device`. |
+    | `id` | The unique identifier of the document set by the server. This value should be a GUID. |
+    | `checksum` | This value is the server-supplied version of the document. |
+    | `osdefinedscenario` | The named scenario that the client should configure with the given configuration data. For  extensibility, the scenario is either `MSFTExtensibilityMIProviderConfig` or `MSFTExtensibilityMIProviderInventory`. |
+
+- The `<DSC>` XML tag describes the targeted WMI provider expressed by a namespace and class name along with the values either to be applied to the device or queried by the MI provider.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `namespace` | Specifies the targeted MI provider namespace. |
+    | `classname` | The targeted MI provider. |
+
+- The `<Key>` XML tag describes the required parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Key>` content.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `name` | Specifies the name of an MI provider parameter. |
+
+- The `<Value>` XML tag describes the optional parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Value>` content.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `name` | Specifies the name of an MI provider parameter. |
+
+## Declared configuration generic alert
+
+On every client response to the server's request, the client constructs a declared configuration alert. This alert summarizes the state of each of the documents that the Windows service has processed. The following XML is an example alert:
+
+```xml
+<Alert>
+  <CmdID>1</CmdID>
+  <Data>1224</Data>
+  <Item>
+    <Meta>
+      <Type xmlns="syncml:metinf">com.microsoft.mdm.declaredconfigurationdocuments</Type>
+    </Meta>
+    <Data>
+      <DeclaredConfigurations schema="1.0">
+        <DeclaredConfiguration context="Device"
+                               id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2"
+                               checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999"
+                               result_checksum="EE4F1636201B0D39F71654427E420E625B9459EED17ACCEEE1AC9B358F4283FD"
+                               state="60" />
+      </DeclaredConfigurations>
+    </Data>
+  </Item>
+</Alert>
+```
+
+In this example, there's one declared configuration document listed in the alert summary. The alert summary lists every document that the client stack is processing, either a configuration or inventory request. It describes the context of the document that specifies the scope of how the document is applied. The **context** value should be `Device`.
+
+The **state** attribute has a value of `60`, which indicates that the document was processed successfully. The following class defines the other state values:
+
+```csharp
+enum class DCCSPURIState :unsigned long
+{
+    NotDefined = 0, // transient
+    ConfigRequest = 1, // transient
+    ConfigInprogress = 2, // transient
+    ConfigInProgressAsyncPending = 3, // transient: Async operation is performed but pending results
+    DeleteRequest = 10,  // transient
+    DeleteInprogress = 11,  // transient
+
+    GetRequest = 20,  // transient
+    GetInprogress = 21,  // transient
+
+    ConstructURIStorageSuccess = 40, // transient
+
+    ConfigCompletedSuccess = 60, // permanent
+    ConfigCompletedError = 61, // permanent
+    ConfigInfraError = 62, // permanent
+    ConfigCompletedSuccessNoRefresh = 63, // permanent
+
+    DeleteCompletedSuccess = 70, // permanent
+    DeleteCompletedError = 71, // permanent
+    DeleteInfraError = 72, // permanent
+
+    GetCompletedSuccess = 80, // permanent
+    GetCompletedError = 81, // permanent
+    GetInfraError = 82 // permanent
+};
+```
+
+## SyncML examples
+
+- Retrieve the results of a configuration or inventory request:
+
+    ```xml
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+      <SyncBody>
+        <Get>
+          <CmdID>2</CmdID>
+          <Item>
+            <Meta>
+              <Format>chr</Format>
+              <Type>text/plain</Type>
+            </Meta>
+            <Target>
+              <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Target>
+          </Item>
+        </Get>
+        <Final />
+      </SyncBody>
+    </SyncML>
+    ```
+
+    ```xml
+    <Status>
+        <CmdID>2</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Cmd>Get</Cmd>
+        <Data>200</Data>
+    </Status>
+    <Results>
+        <CmdID>3</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Item>
+            <Source>
+                <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Source>
+            <Data>
+                <DeclaredConfigurationResult context="Device" schema="1.0" id="99988660-9080-3433-96e8-f32e85011999" osdefinedscenario="MSFTPolicies" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" result_checksum="EE4F1636201B0D39F71654427E420E625B9459EED17ACCEEE1AC9B358F4283FD" operation="Set" state="60">
+                    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="60">
+                        <Key name="DestinationPath" />
+                        <Value name="Contents" />
+                    </DSC>
+                </DeclaredConfigurationResult>
+            </Data>
+        </Item>
+    </Results>
+    ```
+
+- Replace a configuration or inventory request
+
+    ```xml
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+      <SyncBody>
+        <Replace>
+          <CmdID>14</CmdID>
+          <Item>
+            <Target>
+              <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Target>
+            <Data>
+              <![CDATA[<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99995209110918B67FE962460137AA3440AFF4DB6ABBE15C8F49968245799999" osdefinedscenario="MSFTExtensibilityMIProviderInventory">
+                    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
+                        <Key name="DestinationPath">c:/temp/foobar.tmp</Key>
+                        <Value name="Contents"></Value>
+                    </DSC>
+                </DeclaredConfiguration>]]>
+            </Data>
+          </Item>
+        </Replace>
+        <Final />
+      </SyncBody>
+    </SyncML>
+    ```
+
+    ```xml
+    <Status>
+        <CmdID>2</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Cmd>Get</Cmd>
+        <Data>200</Data>
+    </Status><Results>
+        <CmdID>3</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Item>
+            <Source>
+                <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/99998660-9080-3433-96e8-f32e85019999/Document</LocURI>
+            </Source>
+            <Data>
+                <DeclaredConfigurationResult context="Device" schema="1.0" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" osdefinedscenario="MSFTExtensibilityMIProviderInventory" checksum="99995209110918B67FE962460137AA3440AFF4DB6ABBE15C8F49968245799999" result_checksum="A27B0D234CBC2FAC1292F1E8FBDF6A90690F3988DEDC9D716829856C9ACE0E20" operation="Get" state="80">
+                    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="80">
+                        <Key name="DestinationPath">c:/temp/foobar.tmp</Key>
+                        <Value name="Contents">TestFileContent</Value>
+                    </DSC>
+                </DeclaredConfigurationResult>
+            </Data>
+        </Item>
+    </Results>
+    ```
+
+- Abandon a configuration or inventory request. This process results in the client tracking the document but not reapplying it. The alert has the `Abandoned` property set to `1`, which indicates that the document is no longer managed by the declared configuration server.
+
+    ```xml
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Replace>
+        <CmdID>2</CmdID>
+        <Item>
+            <Meta>
+            <Format>int</Format>
+            <Type>text/plain</Type>
+            </Meta>
+            <Target>
+            <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Properties/Abandoned</LocURI>
+            </Target>
+            <Data>1</Data>
+        </Item>
+        </Replace>
+    <Final/>
+    </SyncBody>
+    </SyncML>
+    ```
+
+- Deletion of configuration or inventory request. The SyncML deletion of the document only removes the document but any extensibility settings persist on the device (tattoo).
+
+    ```xml
+    <?xml version="1.0" encoding="utf-8"?>
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Delete>
+            <CmdID>2</CmdID>
+            <Item>
+            <Target>
+                <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Target>
+            </Item>
+        </Delete>
+        <Final/>
+        </SyncBody>
+    </SyncML>
+    ```
+<!-- DeclaredConfiguration-CspMoreInfo-End -->
+
+<!-- DeclaredConfiguration-End -->
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
new file mode 100644
index 0000000000..8f17e34ba0
--- /dev/null
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -0,0 +1,482 @@
+---
+title: DeclaredConfiguration DDF file
+description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 09/27/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+# DeclaredConfiguration DDF file
+
+The following XML file contains the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>DeclaredConfiguration</NodeName>
+    <Path>./Device/Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <Description>The Declared Configuration CSP (Configuration Service Provider) allows the OMA-DM server to provide the device with the complete collection of setting names and associated values based on a specified scenario. The Declared Configuration stack on the device is responsible for handling the configuration request along with maintaining its state including updates to the scenario. It also provides the means to retrieve a scenario’s settings from the device. The configuration request and settings retrieval request are performed asynchronously, freeing up the server’s worker thread to do other useful work. The subsequent results can be retrieved through Declared Configuration’s result nodes.</Description>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <MIME />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>9.9</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
+    <Node>
+      <NodeName>Host</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+        </AccessType>
+        <Description>The Host internal node indicates that the target of the configuration request or inventory request is the host OS. This node is for scope in case enclaves are ever targeted for configuration.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>Complete</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+          </AccessType>
+          <Description>This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName />
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Documents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+            </AccessType>
+            <Description>The Documents node indicates that the configuration is in the form of a document, which is a collection of settings used to configure a scenario by the Declared Configuration stack.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the configuration document. No other document can have this id. The Id should be a GUID.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ServerGeneratedUniqueIdentifier />
+              </MSFT:DynamicNodeNaming>
+              <MSFT:AllowedValues ValueType="RegEx">
+                <MSFT:Value>[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+                <MSFT:AllowedValues ValueType="None">
+                </MSFT:AllowedValues>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>Properties</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                </AccessType>
+                <Description>The Properties node encapsulates the list of properties that apply to the specified document referenced by [DocID].</Description>
+                <DFFormat>
+                  <node />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <DDFName />
+                </DFType>
+              </DFProperties>
+              <Node>
+                <NodeName>Abandoned</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <DefaultValue>0</DefaultValue>
+                  <Description>The Abandoned node allows the OMA-DM server to indicate that the document is no longer managed.</Description>
+                  <DFFormat>
+                    <int />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME />
+                  </DFType>
+                  <MSFT:AllowedValues ValueType="ENUM">
+                    <MSFT:Enum>
+                      <MSFT:Value>0</MSFT:Value>
+                      <MSFT:ValueDescription>The document is no longer managed.</MSFT:ValueDescription>
+                    </MSFT:Enum>
+                    <MSFT:Enum>
+                      <MSFT:Value>1</MSFT:Value>
+                      <MSFT:ValueDescription>The document is managed.</MSFT:ValueDescription>
+                    </MSFT:Enum>
+                  </MSFT:AllowedValues>
+                </DFProperties>
+              </Node>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Results</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The Results node indicates that this is part of the URI path that will return an XML document containing the results of the configuration request.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the configuration document in which results of the configuration request will be returned.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ClientInventory />
+              </MSFT:DynamicNodeNaming>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of setting results from the configuration request specified by [DocId].</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>Inventory</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+          </AccessType>
+          <Description>The Inventory internal node indicates that this is an inventory request. The setting values to be retrieved are specified in an XML document through the Document leaf node.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName />
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Documents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+            </AccessType>
+            <Description>The Documents node indicates that the inventory request is in the form of a document, which is a collection of settings used to retrieve their values.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ServerGeneratedUniqueIdentifier />
+              </MSFT:DynamicNodeNaming>
+              <MSFT:AllowedValues ValueType="RegEx">
+                <MSFT:Value>[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+                <MSFT:AllowedValues ValueType="None">
+                </MSFT:AllowedValues>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Results</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The Results node indicates that this is part of the URI path that will return an XML document containing the results of the inventory request.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ClientInventory />
+              </MSFT:DynamicNodeNaming>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of setting results from the inventory request specified by [DocId].</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+    </Node>
+  </Node>
+</MgmtTree>
+```
+
+## Related articles
+
+[DeclaredConfiguration configuration service provider reference](declaredconfiguration-csp.md)
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index 1f3ec6eaa1..d8b4a5ca6e 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -430,7 +430,7 @@ This node provides status of the Device Preparation page. Values are an enum: 0
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
-| Access Type | Get |
+| Access Type | Get, Replace |
 <!-- Device-PageStatus-DFProperties-End -->
 
 <!-- Device-PageStatus-AllowedValues-Begin -->
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 3174ac4dab..4f948ac7b5 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -88,6 +88,7 @@ The following XML file contains the device description framework (DDF) for the D
       <DFProperties>
         <AccessType>
           <Get />
+          <Replace />
         </AccessType>
         <Description>This node provides status of the Device Preparation page.  Values are an enum: 0 = Disabled; 1 = Enabled;  2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
         <DFFormat>
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 7c11cf5f09..30b1bd5f6a 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -80,10 +80,10 @@ The following list shows the DMClient configuration service provider nodes:
       - [HelpWebsite](#deviceproviderprovideridhelpwebsite)
       - [HWDevID](#deviceproviderprovideridhwdevid)
       - [LinkedEnrollment](#deviceproviderprovideridlinkedenrollment)
+        - [DiscoveryEndpoint](#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
         - [Enroll](#deviceproviderprovideridlinkedenrollmentenroll)
         - [EnrollStatus](#deviceproviderprovideridlinkedenrollmentenrollstatus)
         - [LastError](#deviceproviderprovideridlinkedenrollmentlasterror)
-        - [Priority](#deviceproviderprovideridlinkedenrollmentpriority)
         - [Unenroll](#deviceproviderprovideridlinkedenrollmentunenroll)
       - [ManagementServerAddressList](#deviceproviderprovideridmanagementserveraddresslist)
       - [ManagementServerToUpgradeTo](#deviceproviderprovideridmanagementservertoupgradeto)
@@ -272,7 +272,7 @@ This node contains the URI-encoded value of the bootstrapped device management a
 
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device ID used for AAD device registration.
+Device ID used for Microsoft Entra device registration.
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Editable-Begin -->
@@ -311,12 +311,12 @@ Device ID used for AAD device registration.
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-Description-Begin -->
 <!-- Description-Source-DDF -->
-This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+This is the ResourceID used when requesting the user token from the OMA DM session for Microsoft Entra enrollments (Microsoft Entra join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
 <!-- Device-Provider-{ProviderID}-AADResourceID-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md).
+For more information about Microsoft Entra enrollment, see [Microsoft Entra integration with MDM](../azure-active-directory-integration-with-mdm.md).
 <!-- Device-Provider-{ProviderID}-AADResourceID-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-DFProperties-Begin -->
@@ -351,7 +351,7 @@ For more information about Azure AD enrollment, see [Azure Active Directory inte
 
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
+For Microsoft Entra ID backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Editable-Begin -->
@@ -1209,7 +1209,7 @@ The node contains the secondary certificate - the public key to use.
 
 <!-- Device-Provider-{ProviderID}-EnhancedAppLayerSecurity-SecurityMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign-only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
 <!-- Device-Provider-{ProviderID}-EnhancedAppLayerSecurity-SecurityMode-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-EnhancedAppLayerSecurity-SecurityMode-Editable-Begin -->
@@ -1568,7 +1568,7 @@ This node decides whether or not the MDM progress page displays the Collect Logs
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-BlockInStatusPage-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+Device Only. This node determines whether or not the MDM progress page is blocking in the Microsoft Entra joined or DJ++ case, as well as which remediation options are available.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-BlockInStatusPage-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-BlockInStatusPage-Editable-Begin -->
@@ -1994,7 +1994,7 @@ This node is set by the server to inform the UX that the server has finished pro
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+Device only. This node decides whether or not the MDM device progress page skips after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Editable-Begin -->
@@ -2016,8 +2016,8 @@ Device only. This node decides whether or not the MDM device progress page skips
 
 | Value | Description |
 |:--|:--|
-| false | Don't skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
-| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| false | Don't skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
+| true (Default) | Skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Examples-Begin -->
@@ -2043,7 +2043,7 @@ Device only. This node decides whether or not the MDM device progress page skips
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login.
+Device only. This node decides whether or not the MDM user progress page skips after Microsoft Entra joined or DJ++ after user login.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Editable-Begin -->
@@ -2065,8 +2065,8 @@ Device only. This node decides whether or not the MDM user progress page skips a
 
 | Value | Description |
 |:--|:--|
-| false | Don't skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
-| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| false | Don't skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
+| true (Default) | Skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Examples-Begin -->
@@ -2182,7 +2182,7 @@ Integer node determining if a Device was Successfully provisioned. 0 is failure,
 
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-Force device to send device AAD token during check-in as a separate header.
+Force device to send device Microsoft Entra token during check-in as a separate header.
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Editable-Begin -->
@@ -2204,9 +2204,9 @@ Force device to send device AAD token during check-in as a separate header.
 | Value | Description |
 |:--|:--|
 | 0 | ForceAadTokenNotDefined: the value isn't defined(default). |
-| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). |
-| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer token). |
-| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. |
+| 1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
+| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
+| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra device token for auth as Bearer token. |
 | 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
 <!-- Device-Provider-{ProviderID}-ForceAadToken-AllowedValues-End -->
 
@@ -2411,6 +2411,45 @@ The interior node for linked enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-End -->
 
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Begin -->
+##### Device/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Applicability-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
+```
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-OmaUri-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Description-Begin -->
+<!-- Description-Source-DDF -->
+Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an empty string with S_OK.
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Description-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Editable-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-DFProperties-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Examples-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-End -->
+
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Begin -->
 ##### Device/Provider/{ProviderID}/LinkedEnrollment/Enroll
 
@@ -2428,12 +2467,12 @@ The interior node for linked enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Description-Begin -->
 <!-- Description-Source-DDF -->
-Trigger to enroll for the Linked Enrollment.
+This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed.
+This is an execution node and will trigger a silent Declared Configuration enrollment, using the Microsoft Entra device token pulled from the Microsoft Entra joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-DFProperties-Begin -->
@@ -2468,7 +2507,7 @@ This is an execution node and will trigger a silent MMP-C enrollment, using the
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-EnrollStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-Returns the current enrollment or un-enrollment status of the linked enrollment.
+Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-EnrollStatus-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-EnrollStatus-Editable-Begin -->
@@ -2523,7 +2562,7 @@ Returns the current enrollment or un-enrollment status of the linked enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-Description-Begin -->
 <!-- Description-Source-DDF -->
-return the last error for enroll/unenroll.
+Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-Editable-Begin -->
@@ -2545,54 +2584,6 @@ return the last error for enroll/unenroll.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-End -->
 
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Begin -->
-##### Device/Provider/{ProviderID}/LinkedEnrollment/Priority
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2009 [10.0.19042.2193] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.2193] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.2193] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.918] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Applicability-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Priority
-```
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-OmaUri-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Description-Begin -->
-<!-- Description-Source-DDF -->
-Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for MDM settings and resources, 1 means the linked enrollment has authority.
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Description-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Editable-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-DFProperties-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | The main enrollment has priority over linked enrollment. |
-| 1 | The linked enrollment has priority over the main enrollment. |
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-AllowedValues-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Examples-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-End -->
-
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-Begin -->
 ##### Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll
 
@@ -2615,7 +2606,7 @@ Trigger Unenroll for the Linked Enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back.
+This is an execution node and will trigger a silent Declared Configuration unenroll, without any user interaction. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-DFProperties-Begin -->
@@ -3744,7 +3735,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Initiate MDM Recovery. |
-| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. |
+| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, Microsoft Entra ID keys are protected by TPM, and the TPM is ready for attestation. |
 <!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-Examples-Begin -->
@@ -3770,7 +3761,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
 
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because AAD keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
+This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because Microsoft Entra ID keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Editable-Begin -->
@@ -3973,7 +3964,7 @@ The following SyncML shows how to remotely unenroll the device. This command sho
              <LocURI>./Vendor/MSFT/DMClient/Provider/<ProviderID>/Unenroll</LocURI>
           </Target>
           <Meta>
-             <Format xmlns=”syncml:metinf”>chr</Format>
+             <Format xmlns="syncml:metinf">chr</Format>
           </Meta>
           <Data>TestMDMServer</Data>
           <!-- Data Field in Threshold is now IGNORED -->
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 8940dcd7f9..f47fafa391 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 09/27/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2548,47 +2548,13 @@ The following XML file contains the device description framework (DDF) for the D
               <MSFT:CspVersion>1.6</MSFT:CspVersion>
             </MSFT:Applicability>
           </DFProperties>
-          <Node>
-            <NodeName>Priority</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Add />
-                <Delete />
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority.</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME />
-              </DFType>
-              <MSFT:AllowedValues ValueType="ENUM">
-                <MSFT:Enum>
-                  <MSFT:Value>0</MSFT:Value>
-                  <MSFT:ValueDescription>The main enrollment has priority over linked enrollment.</MSFT:ValueDescription>
-                </MSFT:Enum>
-                <MSFT:Enum>
-                  <MSFT:Value>1</MSFT:Value>
-                  <MSFT:ValueDescription>The linked enrollment has priority over the main enrollment.</MSFT:ValueDescription>
-                </MSFT:Enum>
-              </MSFT:AllowedValues>
-            </DFProperties>
-          </Node>
           <Node>
             <NodeName>LastError</NodeName>
             <DFProperties>
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>return the last error for enroll/unenroll.</Description>
+              <Description>Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -2609,7 +2575,7 @@ The following XML file contains the device description framework (DDF) for the D
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Returns the current enrollment or un-enrollment status of the linked enrollment.</Description>
+              <Description>Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -2668,7 +2634,7 @@ The following XML file contains the device description framework (DDF) for the D
               <AccessType>
                 <Exec />
               </AccessType>
-              <Description>Trigger to enroll for the Linked Enrollment</Description>
+              <Description>This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).</Description>
               <DFFormat>
                 <null />
               </DFFormat>
@@ -2704,6 +2670,36 @@ The following XML file contains the device description framework (DDF) for the D
               </DFType>
             </DFProperties>
           </Node>
+          <Node>
+            <NodeName>DiscoveryEndpoint</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK. </Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:Applicability>
+                <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+                <MSFT:CspVersion>9.9</MSFT:CspVersion>
+              </MSFT:Applicability>
+              <MSFT:AllowedValues ValueType="None">
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
         </Node>
         <Node>
           <NodeName>MultipleSession</NodeName>
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 3f61327719..6bfcf539e2 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3472,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin -->
@@ -3547,7 +3547,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-65535]` |
+| Allowed Values | Range: `[0-255]` |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-DFProperties-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Examples-Begin -->
@@ -3812,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin -->
@@ -3961,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin -->
@@ -3999,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4049,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4099,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4149,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin -->
@@ -4296,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin -->
@@ -4334,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4384,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4434,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4484,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin -->
@@ -4533,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin -->
@@ -4571,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4621,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4671,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4721,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 8a398f09ae..1d38c29221 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3030,7 +3030,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="ENUM">
@@ -3064,7 +3064,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -3257,7 +3257,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -3450,7 +3450,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -4597,7 +4597,7 @@ If not specified the detault is OUT.</Description>
                 <MIME />
               </DFType>
               <MSFT:AllowedValues ValueType="Range">
-                <MSFT:Value>[0-65535]</MSFT:Value>
+                <MSFT:Value>[0-255]</MSFT:Value>
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
@@ -4833,7 +4833,7 @@ If not specified - a new rule is disabled by default.</Description>
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="Flag">
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 1c9ad0123e..befe9471cc 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -726,7 +726,7 @@ If the attestation process is launched successfully, this node will return code
   - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
   - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
   - nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
-  - aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service.
+  - aadToken: The Microsoft Entra token to be used for authentication against the Microsoft Azure Attestation service.
   - cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
 
 - Sample `<Data>`:
diff --git a/windows/client-management/mdm/includes/mdm-insider-csp-note.md b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
index 5c8c70b1fe..bc1fc814b6 100644
--- a/windows/client-management/mdm/includes/mdm-insider-csp-note.md
+++ b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
@@ -7,4 +7,4 @@ ms.date: 05/09/2023
 ---
 
 > [!IMPORTANT]
-> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+> This CSP contains some settings that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These settings are subject to change and may have dependencies on other features or services in preview.
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index fe053e7544..a010675895 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -23,7 +23,7 @@ ms.topic: reference
 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
 
 > [!NOTE]
-> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Azure Active Directory LAPS scenario, see [Windows LAPS availability and Azure AD LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
+> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Microsoft Entra LAPS scenario, see [Windows LAPS availability and Microsoft Entra LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
 
 > [!TIP]
 > This article covers the specific technical details of the LAPS CSP.  For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
@@ -449,7 +449,7 @@ Use this setting to configure which directory the local admin account password i
 The allowable settings are:
 
 0=Disabled (password won't be backed up)
-1=Backup the password to Azure AD only
+1=Backup the password to Microsoft Entra ID only
 2=Backup the password to Active Directory only.
 
 If not specified, this setting will default to 0.
@@ -475,7 +475,7 @@ If not specified, this setting will default to 0.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled (password won't be backed up). |
-| 1 | Backup the password to Azure AD only. |
+| 1 | Backup the password to Microsoft Entra ID only. |
 | 2 | Backup the password to Active Directory only. |
 <!-- Device-Policies-BackupDirectory-AllowedValues-End -->
 
@@ -506,7 +506,7 @@ Use this policy to configure the maximum password age of the managed local admin
 
 If not specified, this setting will default to 30 days.
 
-This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD.
+This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
 
 This setting has a maximum allowed value of 365 days.
 <!-- Device-Policies-PasswordAgeDays-Description-End -->
@@ -745,7 +745,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
 | Value | Description |
 |:--|:--|
 | 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
-| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
 | 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
 <!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->
 
@@ -806,7 +806,7 @@ This setting has a maximum allowed value of 24 hours.
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 ## Settings Applicability
 
-The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
+The LAPS CSP can be used to manage devices that are either joined to Microsoft Entra ID or joined to both Microsoft Entra ID and Active Directory (hybrid-joined). The LAPS CSP manages a mix of Microsoft Entra-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
 
 | Setting name                        | Azure-joined | Hybrid-joined |
 |-------------------------------------|--------------|---------------|
@@ -828,9 +828,11 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or
 
 The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
 
-### Azure-joined device backing password up to Azure AD
+<a name='azure-joined-device-backing-password-up-to-azure-ad'></a>
 
-This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory:
+### Azure-joined device backing password up to Microsoft Entra ID
+
+This example shows how to configure an Azure-joined device to back up its password to Microsoft Entra ID:
 
 ```xml
 <SyncMl xmlns="SYNCML:SYNCML1.2">
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 591e23f3dc..cc5a8c8ada 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -32,9 +32,9 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Microsoft Entra joined. Currently, this CSP is not supported on the following devices:
 >
-> - Azure AD Hybrid joined devices.
+> - Microsoft Entra hybrid joined devices.
 > - Devices that use both GPO and CSP at the same time.
 >
 > The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index d5c2ebe843..29e995b12d 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -20,7 +20,7 @@ ms.topic: reference
 
 <!-- PassportForWork-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Microsoft Entra account and replace passwords, smartcards, and virtual smart cards.
 
 > [!IMPORTANT]
 > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
@@ -32,6 +32,7 @@ The following list shows the PassportForWork configuration service provider node
 - ./Device/Vendor/MSFT/PassportForWork
   - [{TenantId}](#devicetenantid)
     - [Policies](#devicetenantidpolicies)
+      - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching)
       - [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
       - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
       - [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -164,6 +165,55 @@ Root node for policies.
 
 <!-- Device-{TenantId}-Policies-End -->
 
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Begin -->
+#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Applicability-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching
+```
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-OmaUri-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Description-Begin -->
+<!-- Description-Source-DDF -->
+Disable caching of the Windows Hello for Business credential after sign-in.
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Description-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Editable-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | False |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-DFProperties-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-AllowedValues-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Examples-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-End -->
+
 <!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Begin -->
 #### Device/{TenantId}/Policies/DisablePostLogonProvisioning
 
@@ -1069,9 +1119,9 @@ Windows Hello for Business can use certificates to authenticate to on-premise re
 
 <!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-Begin -->
 <!-- Description-Source-DDF -->
-Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+Boolean value that enables Windows Hello for Business to use Microsoft Entra Kerberos to authenticate to on-premises resources.
 
-- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+- If you enable this policy setting, Windows Hello for Business will use a Microsoft Entra Kerberos ticket to authenticate to on-premises resources. The Microsoft Entra Kerberos ticket is returned to the client after a successful authentication to Microsoft Entra ID if Microsoft Entra Kerberos is enabled for the tenant and domain.
 
 - If you disable or don't configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
 <!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-End -->
@@ -1176,7 +1226,7 @@ Windows requires a user to lock and unlock their session after changing this set
 
 <!-- Device-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
 <!-- Description-Source-DDF -->
-Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
 
 - If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
 
@@ -2503,7 +2553,7 @@ A Trusted Platform Module (TPM) provides additional security benefits over softw
 
 <!-- User-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
 <!-- Description-Source-DDF -->
-Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
 
 - If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
 
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 8a2ac551bc..6cfc4fabfc 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -892,6 +892,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
             </MSFT:AllowedValues>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisablePostLogonCredentialCaching</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>False</DefaultValue>
+            <Description>Disable caching of the Windows Hello for Business credential after sign-in.</Description>
+            <DFFormat>
+              <bool />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:Applicability>
+              <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+              <MSFT:CspVersion>1.6</MSFT:CspVersion>
+            </MSFT:Applicability>
+            <MSFT:AllowedValues ValueType="ENUM">
+              <MSFT:Enum>
+                <MSFT:Value>false</MSFT:Value>
+                <MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
+              </MSFT:Enum>
+              <MSFT:Enum>
+                <MSFT:Value>true</MSFT:Value>
+                <MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
+              </MSFT:Enum>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>UseCertificateForOnPremAuth</NodeName>
           <DFProperties>
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index d949612f72..bc9ea26ab4 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2144,6 +2144,7 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [EnableAdditionalSources](policy-csp-desktopappinstaller.md)
 - [EnableAllowedSources](policy-csp-desktopappinstaller.md)
 - [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
 
 ## DeviceInstallation
 
@@ -2416,7 +2417,10 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
 - [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
 - [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [IntranetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
 - [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneLogonOptions](policy-csp-internetexplorer.md)
 - [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
 - [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
 - [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 5f25eb4ff5..a1d5758c14 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -383,10 +383,18 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md)
 - [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md)
 - [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@@ -394,11 +402,13 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md)
@@ -412,8 +422,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md)
+- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md)
 - [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md)
 - [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md)
+- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
@@ -634,7 +646,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [HideRecommendedSection](policy-csp-start.md)
 - [HideRecommendedPersonalizedSites](policy-csp-start.md)
 - [HideTaskViewButton](policy-csp-start.md)
-- [HideCopilotButton](policy-csp-start.md)
 - [DisableControlCenter](policy-csp-start.md)
 - [SimplifyQuickSettings](policy-csp-start.md)
 - [DisableEditingQuickSettings](policy-csp-start.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index f0e33b1fda..7e755cbccd 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 09/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -263,7 +263,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
 
 ## Start
 
-- [HideCopilotButton](policy-csp-start.md#hidecopilotbutton)
 - [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
 - [StartLayout](policy-csp-start.md#startlayout)
 
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index f6b11c6d2b..19a7dcb36f 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -269,7 +269,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
 <!-- NCSI_DomainLocationDeterminationUrl-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Azure AD only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
+> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Microsoft Entra-only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
 <!-- NCSI_DomainLocationDeterminationUrl-Editable-End -->
 
 <!-- NCSI_DomainLocationDeterminationUrl-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index d1e099f8ba..b0ed275af0 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1755,7 +1755,7 @@ This policy setting is triggered by the configured round trip network latency va
 
 - If you enable this policy setting, transparent caching is enabled and configurable.
 
-- If you disable or don't configure this policy setting, remote files will be not be transparently cached on client computers.
+- If you disable or don't configure this policy setting, remote files won't be transparently cached on client computers.
 <!-- Pol_OnlineCachingSettings-Description-End -->
 
 <!-- Pol_OnlineCachingSettings-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index ca002f8ab0..df3ab6fb49 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Power Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -102,7 +102,7 @@ This policy setting allows you to control the network connectivity state in stan
 <!-- Description-Source-ADMX -->
 This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
 
-- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+- If you enable this policy setting, an application or service may prevent the system from sleeping (hybrid Sleep, Stand By, or Hibernate).
 
 - If you disable or don't configure this policy setting, users control this setting.
 <!-- ACCriticalSleepTransitionsDisable_2-Description-End -->
@@ -885,7 +885,7 @@ This policy setting allows you to control the network connectivity state in stan
 <!-- Description-Source-ADMX -->
 This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
 
-- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+- If you enable this policy setting, an application or service may prevent the system from sleeping (hybrid Sleep, Stand By, or Hibernate).
 
 - If you disable or don't configure this policy setting, users control this setting.
 <!-- DCCriticalSleepTransitionsDisable_2-Description-End -->
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index 690350461f..d804a847a8 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2459,7 +2459,7 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
 - If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level.
 
 > [!NOTE]
-> AAD Per User mode is deprecated on Windows 11 and above.
+> Microsoft Entra ID Per User mode is deprecated on Windows 11 and above.
 <!-- TS_LICENSING_MODE-Description-End -->
 
 <!-- TS_LICENSING_MODE-Editable-Begin -->
@@ -2515,7 +2515,7 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
 <!-- Description-Source-ADMX -->
 Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server.
 
-You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions.
+You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, additional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions.
 
 To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999.
 
@@ -4070,7 +4070,7 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
 
 <!-- TS_SERVER_PROFILE-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth.
+This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available network bandwidth.
 
 - If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
 
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 0d8d931bf2..7796c7da9d 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
 
 <!-- DefaultAssociationsConfiguration-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Microsoft Entra joined, the associations assigned in SyncML will be processed and default associations will be applied.
 <!-- DefaultAssociationsConfiguration-Description-End -->
 
 <!-- DefaultAssociationsConfiguration-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index b571cedbad..7cfb9ef14a 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -4,7 +4,7 @@ description: Learn more about the AppVirtualization Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -149,7 +149,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
 
 <!-- AllowPackageCleanup-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
+Enables automatic cleanup of appv packages that were added after Windows 10 anniversary release.
 <!-- AllowPackageCleanup-Description-End -->
 
 <!-- AllowPackageCleanup-Editable-Begin -->
@@ -1443,7 +1443,7 @@ Specifies the number of times to retry a dropped session.
 
 <!-- StreamingSharedContentStoreMode-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies that streamed package contents will be not be saved to the local hard disk.
+Specifies that streamed package contents won't be saved to the local hard disk.
 <!-- StreamingSharedContentStoreMode-Description-End -->
 
 <!-- StreamingSharedContentStoreMode-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 1a51901f9e..7d6b0d757b 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -4,7 +4,7 @@ description: Learn more about the Authentication Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -39,13 +39,13 @@ ms.topic: reference
 
 <!-- AllowAadPasswordReset-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether password reset is enabled for AAD accounts.
+Specifies whether password reset is enabled for Microsoft Entra accounts.
 <!-- AllowAadPasswordReset-Description-End -->
 
 <!-- AllowAadPasswordReset-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
+This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
 <!-- AllowAadPasswordReset-Editable-End -->
 
 <!-- AllowAadPasswordReset-DFProperties-Begin -->
@@ -90,7 +90,7 @@ This policy allows the Azure Active Directory (Azure AD) tenant administrator to
 
 <!-- AllowEAPCertSSO-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+Allows an EAP cert-based authentication for a single sign-on (SSO) to access internal resources.
 <!-- AllowEAPCertSSO-Description-End -->
 
 <!-- AllowEAPCertSSO-Editable-Begin -->
@@ -188,7 +188,7 @@ Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restrict
 
 <!-- AllowSecondaryAuthenticationDevice-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
+This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign-on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
 
 - If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.
 
@@ -262,7 +262,7 @@ Specifies a list of domains that are allowed to access the webcam in Web Sign-in
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!NOTE]
-> Web sign-in is only supported on Azure AD joined PCs.
+> Web sign-in is only supported on Microsoft Entra joined PCs.
 <!-- ConfigureWebcamAccessDomainNames-Editable-End -->
 
 <!-- ConfigureWebcamAccessDomainNames-DFProperties-Begin -->
@@ -312,7 +312,7 @@ Specifies a list of URLs that are navigable in Web Sign-in based authentication
 
 This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
 
-- Azure Active Directory (Azure AD) PIN reset
+- Microsoft Entra ID PIN reset
 - Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
 
 > [!NOTE]
@@ -358,13 +358,13 @@ Your organization's PIN reset or web sign-in authentication flow is expected to
 
 <!-- EnableFastFirstSignIn-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts.
+Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.
 <!-- EnableFastFirstSignIn-Description-End -->
 
 <!-- EnableFastFirstSignIn-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
+This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.
 
 > [!IMPORTANT]
 > Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
@@ -386,8 +386,8 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
 | Value | Description |
 |:--|:--|
 | 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
-| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. |
-| 2 | Disabled. Don't auto-connect new non-admin Azure AD accounts to pre-configured local accounts. |
+| 1 | Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts. |
+| 2 | Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts. |
 <!-- EnableFastFirstSignIn-AllowedValues-End -->
 
 <!-- EnableFastFirstSignIn-Examples-Begin -->
@@ -413,7 +413,7 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
 
 <!-- EnablePasswordlessExperience-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether connected users on AADJ devices receive a Passwordless experience on Windows.
+Specifies whether connected users on Microsoft Entra joined devices receive a Passwordless experience on Windows.
 <!-- EnablePasswordlessExperience-Description-End -->
 
 <!-- EnablePasswordlessExperience-Editable-Begin -->
@@ -470,12 +470,12 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!WARNING]
-> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope.
+> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Microsoft Entra ID, unless it's used in a limited federated scope.
 
-**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass.
+**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Microsoft Entra credentials, like temporary access pass.
 
 > [!NOTE]
-> Web sign-in is only supported on Azure AD joined PCs.
+> Web sign-in is only supported on Microsoft Entra joined PCs.
 <!-- EnableWebSignIn-Editable-End -->
 
 <!-- EnableWebSignIn-DFProperties-Begin -->
@@ -521,7 +521,7 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 
 <!-- PreferredAadTenantDomainName-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies the preferred domain among available domains in the AAD tenant.
+Specifies the preferred domain among available domains in the Microsoft Entra tenant.
 <!-- PreferredAadTenantDomainName-Description-End -->
 
 <!-- PreferredAadTenantDomainName-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index 6fbb9672f7..66d7fcc0ad 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/14/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
 <!-- CloudDesktop-Begin -->
 # Policy CSP - CloudDesktop
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- CloudDesktop-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- CloudDesktop-Editable-End -->
@@ -28,7 +26,7 @@ ms.topic: reference
 <!-- BootToCloudMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
 <!-- BootToCloudMode-Applicability-End -->
 
 <!-- BootToCloudMode-OmaUri-Begin -->
@@ -77,7 +75,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
 <!-- SetMaxConnectionTimeout-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
 <!-- SetMaxConnectionTimeout-Applicability-End -->
 
 <!-- SetMaxConnectionTimeout-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 485f675610..4c27326f83 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -49,7 +49,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
 
 > [!NOTE]
-> This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
+> In Windows 10 version 1803, this policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1.
 
 The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
 
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 7216ad6c03..36aeeec980 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1078,6 +1078,12 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
 
 <!-- AvgCPULoadFactor-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+
+> [!NOTE]
+> If you enable both of the following policies, then Windows ignores the value of **AvgCPULoadFactor**:
+> 
+> - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
+> - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
 <!-- AvgCPULoadFactor-Editable-End -->
 
 <!-- AvgCPULoadFactor-DFProperties-Begin -->
@@ -2902,7 +2908,9 @@ Valid remediation action values are:
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- Links -->
 [TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+
 [TAMPER-2]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-about-exclusions
+
 <!-- Defender-CspMoreInfo-End -->
 
 <!-- Defender-End -->
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 2c24bd31ed..c8b37170cf 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -703,13 +703,13 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
 
 <!-- DOGroupIdSource-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
 <!-- DOGroupIdSource-Description-End -->
 
 <!-- DOGroupIdSource-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
+> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
 <!-- DOGroupIdSource-Editable-End -->
 
 <!-- DOGroupIdSource-DFProperties-Begin -->
@@ -732,7 +732,7 @@ Set this policy to restrict peer selection to a specific source. Available optio
 | 2 | Authenticated domain SID. |
 | 3 | DHCP user option. |
 | 4 | DNS suffix. |
-| 5 | AAD. |
+| 5 | Microsoft Entra ID. |
 <!-- DOGroupIdSource-AllowedValues-End -->
 
 <!-- DOGroupIdSource-GpMapping-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 0e8a4f4777..700a225113 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- DesktopAppInstaller-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DesktopAppInstaller-Editable-End -->
@@ -723,6 +725,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
 
 <!-- EnableSettings-End -->
 
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Begin -->
+## EnableWindowsPackageManagerCommandLineInterfaces
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces
+```
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
+<!-- ADMX-Not-Found -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| ADMX File Name | DesktopAppInstaller.admx |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Examples-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-End -->
+
 <!-- SourceAutoUpdateInterval-Begin -->
 ## SourceAutoUpdateInterval
 
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index aea8cbe4f0..3fbecc7fbe 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -352,7 +352,7 @@ When Find My Device is off, the device and its location aren't registered and th
 
 <!-- AllowManualMDMUnenrollment-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Microsoft Entra joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
 
 > [!NOTE]
 > The MDM server can always remotely delete the account. Most restricted value is 0.
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
index c16129a3eb..18426abce1 100644
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -4,7 +4,7 @@ description: Learn more about the FederatedAuthentication Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -43,7 +43,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 <!-- EnableWebSignInForPrimaryUser-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> Web Sign-in is only supported on Azure AD Joined PCs.
+> Web Sign-in is only supported on Microsoft Entra joined PCs.
 <!-- EnableWebSignInForPrimaryUser-Editable-End -->
 
 <!-- EnableWebSignInForPrimaryUser-DFProperties-Begin -->
@@ -63,7 +63,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 |:--|:--|
 | 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
 | 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
-| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. |
+| 2 | Disabled. Web Sign-in Credential Provider won't be enabled for device sign-in. |
 <!-- EnableWebSignInForPrimaryUser-AllowedValues-End -->
 
 <!-- EnableWebSignInForPrimaryUser-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index c0b5145841..d707b4af93 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- InternetExplorer-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- InternetExplorer-Editable-End -->
@@ -7727,6 +7729,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- IntranetZoneJavaPermissions-End -->
 
+<!-- IntranetZoneLogonOptions-Begin -->
+## IntranetZoneLogonOptions
+
+<!-- IntranetZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- IntranetZoneLogonOptions-Applicability-End -->
+
+<!-- IntranetZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+<!-- IntranetZoneLogonOptions-OmaUri-End -->
+
+<!-- IntranetZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.
+<!-- IntranetZoneLogonOptions-Description-End -->
+
+<!-- IntranetZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IntranetZoneLogonOptions-Editable-End -->
+
+<!-- IntranetZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IntranetZoneLogonOptions-DFProperties-End -->
+
+<!-- IntranetZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_3 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
+| ADMX File Name | inetres.admx |
+<!-- IntranetZoneLogonOptions-AdmxBacked-End -->
+
+<!-- IntranetZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IntranetZoneLogonOptions-Examples-End -->
+
+<!-- IntranetZoneLogonOptions-End -->
+
 <!-- IntranetZoneNavigateWindowsAndFrames-Begin -->
 ## IntranetZoneNavigateWindowsAndFrames
 
@@ -8730,6 +8804,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- LocalMachineZoneJavaPermissions-End -->
 
+<!-- LocalMachineZoneLogonOptions-Begin -->
+## LocalMachineZoneLogonOptions
+
+<!-- LocalMachineZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- LocalMachineZoneLogonOptions-Applicability-End -->
+
+<!-- LocalMachineZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+<!-- LocalMachineZoneLogonOptions-OmaUri-End -->
+
+<!-- LocalMachineZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+<!-- LocalMachineZoneLogonOptions-Description-End -->
+
+<!-- LocalMachineZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LocalMachineZoneLogonOptions-Editable-End -->
+
+<!-- LocalMachineZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- LocalMachineZoneLogonOptions-DFProperties-End -->
+
+<!-- LocalMachineZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_9 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
+| ADMX File Name | inetres.admx |
+<!-- LocalMachineZoneLogonOptions-AdmxBacked-End -->
+
+<!-- LocalMachineZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- LocalMachineZoneLogonOptions-Examples-End -->
+
+<!-- LocalMachineZoneLogonOptions-End -->
+
 <!-- LocalMachineZoneNavigateWindowsAndFrames-Begin -->
 ## LocalMachineZoneNavigateWindowsAndFrames
 
@@ -17229,6 +17375,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- TrustedSitesZoneJavaPermissions-End -->
 
+<!-- TrustedSitesZoneLogonOptions-Begin -->
+## TrustedSitesZoneLogonOptions
+
+<!-- TrustedSitesZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- TrustedSitesZoneLogonOptions-Applicability-End -->
+
+<!-- TrustedSitesZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+<!-- TrustedSitesZoneLogonOptions-OmaUri-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+<!-- TrustedSitesZoneLogonOptions-Description-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TrustedSitesZoneLogonOptions-Editable-End -->
+
+<!-- TrustedSitesZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- TrustedSitesZoneLogonOptions-DFProperties-End -->
+
+<!-- TrustedSitesZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_5 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
+| ADMX File Name | inetres.admx |
+<!-- TrustedSitesZoneLogonOptions-AdmxBacked-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TrustedSitesZoneLogonOptions-Examples-End -->
+
+<!-- TrustedSitesZoneLogonOptions-End -->
+
 <!-- TrustedSitesZoneNavigateWindowsAndFrames-Begin -->
 ## TrustedSitesZoneNavigateWindowsAndFrames
 
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index cb861e1a11..ed58ffd639 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -98,11 +98,11 @@ This policy setting defines the list of trusting forests that the Kerberos clien
 
 <!-- CloudKerberosTicketRetrievalEnabled-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.
+This policy setting allows retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon.
 
-- If you disable or don't configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket isn't retrieved during logon.
+- If you disable or don't configure this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket isn't retrieved during logon.
 
-- If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon.
+- If you enable this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket is retrieved during logon.
 <!-- CloudKerberosTicketRetrievalEnabled-Description-End -->
 
 <!-- CloudKerberosTicketRetrievalEnabled-Editable-Begin -->
@@ -781,8 +781,8 @@ The size of the context token buffer determines the maximum size of SSPI context
 
 <!-- UPNNameHints-Description-Begin -->
 <!-- Description-Source-DDF -->
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
+Devices joined to Microsoft Entra ID in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve a Microsoft Entra UPN into an Active Directory Principal.
+This parameter adds a list of domains that a Microsoft Entra joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
 <!-- UPNNameHints-Description-End -->
 
 <!-- UPNNameHints-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 9e5011246e..f3317c93af 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -367,6 +367,134 @@ Accounts: Rename guest account This security setting determines whether a differ
 
 <!-- Accounts_RenameGuestAccount-End -->
 
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Begin -->
+## Audit_AuditTheUseOfBackupAndRestoreprivilege
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_AuditTheUseOfBackupAndRestoreprivilege
+```
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Description-Begin -->
+<!-- Description-Source-DDF -->
+Audit: Audit the use of Backup and Restore privilege This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that's backed up or restored. If you disable this policy, then use of the Backup or Restore privilege isn't audited even when Audit privilege use is enabled.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation. Default: Disabled.
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Description-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Editable-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `b64` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: ``) |
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Begin -->
+## Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+```
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Description-Begin -->
+<!-- Description-Source-DDF -->
+Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they're joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. If the category level audit policy set here isn't consistent with the events that are currently being generated, the cause might be that this registry key is set. Default: Enabled.
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Description-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Editable-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-DFProperties-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Examples-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Begin -->
+## Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+```
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Description-Begin -->
+<!-- Description-Source-DDF -->
+Audit: Shut down system immediately if unable to log security audits This security setting determines whether the system shuts down if it's unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that's specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry can't be overwritten, and this security option is enabled, the following Stop error appears: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log isn't full.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Description-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Editable-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-DFProperties-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Examples-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-End -->
+
 <!-- Devices_AllowedToFormatAndEjectRemovableMedia-Begin -->
 ## Devices_AllowedToFormatAndEjectRemovableMedia
 
@@ -588,6 +716,381 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
 
 <!-- Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly-End -->
 
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Begin -->
+## Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+```
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Description-Begin -->
+<!-- Description-Source-DDF -->
+Devices: Restrict floppy access to locally logged-on user only This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged-on interactively, the floppy can be accessed over the network. Default: This policy isn't defined and floppy disk drive access isn't restricted to the locally logged-on user.
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Description-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Editable-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-DFProperties-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Devices: Restrict floppy access to locally logged-on user only |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-GpMapping-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Examples-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Begin -->
+## DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+```
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel won't be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled.
+
+> [!NOTE]
+> If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Description-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Editable-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-DFProperties-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt or sign secure channel data (always) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-GpMapping-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Examples-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Begin -->
+## DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+```
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member won't attempt to negotiate secure channel encryption. Default: Enabled.
+
+> [!IMPORTANT]
+> There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+> [!NOTE]
+> Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Description-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Editable-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-DFProperties-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-GpMapping-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Examples-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Begin -->
+## DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
+```
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. Default: Enabled.
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Description-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Editable-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-DFProperties-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally sign secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-GpMapping-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Examples-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Begin -->
+## DomainMember_DisableMachineAccountPasswordChanges
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
+```
+<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer account password.
+
+- If this setting is enabled, the domain member doesn't attempt to change its computer account password.
+
+- If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Default: Disabled.
+
+> [!NOTE]
+> This security setting shouldn't be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it's established, the secure channel is used to transmit sensitive information that's necessary for making authentication and authorization decisions. This setting shouldn't be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Description-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Editable-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- DomainMember_DisableMachineAccountPasswordChanges-DFProperties-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Disable machine account password changes |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DisableMachineAccountPasswordChanges-GpMapping-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Examples-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Begin -->
+## DomainMember_MaximumMachineAccountPasswordAge
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
+```
+<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Maximum machine account password age This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days.
+
+> [!IMPORTANT]
+> This setting applies to Windows 2000 computers, but it isn't available through the Security Configuration Manager tools on these computers.
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Description-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Editable-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value  | 30 |
+<!-- DomainMember_MaximumMachineAccountPasswordAge-DFProperties-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Maximum machine account password age |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_MaximumMachineAccountPasswordAge-GpMapping-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Examples-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Begin -->
+## DomainMember_RequireStrongSessionKey
+
+<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
+```
+<!-- DomainMember_RequireStrongSessionKey-OmaUri-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Require strong (Windows 2000 or later) session key This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Some or all of the information that's transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that's encrypted.
+
+- If this setting is enabled, then the secure channel won't be established unless 128-bit encryption can be performed.
+
+- If this setting is disabled, then the key strength is negotiated with the domain controller. Default: Enabled.
+
+> [!IMPORTANT]
+> In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+<!-- DomainMember_RequireStrongSessionKey-Description-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_RequireStrongSessionKey-Editable-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_RequireStrongSessionKey-DFProperties-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Require strong (Windows 2000 or later) session key |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_RequireStrongSessionKey-GpMapping-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_RequireStrongSessionKey-Examples-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-End -->
+
 <!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Begin -->
 ## InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
 
@@ -822,6 +1325,56 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
 
 <!-- InteractiveLogon_DoNotRequireCTRLALTDEL-End -->
 
+<!-- InteractiveLogon_MachineAccountThreshold-Begin -->
+## InteractiveLogon_MachineAccountThreshold
+
+<!-- InteractiveLogon_MachineAccountThreshold-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- InteractiveLogon_MachineAccountThreshold-Applicability-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold
+```
+<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-Description-Begin -->
+<!-- Description-Source-DDF -->
+Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
+<!-- InteractiveLogon_MachineAccountThreshold-Description-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- InteractiveLogon_MachineAccountThreshold-Editable-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value  | 0 |
+<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Interactive logon: Machine account lockout threshold |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- InteractiveLogon_MachineAccountThreshold-Examples-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-End -->
+
 <!-- InteractiveLogon_MachineInactivityLimit-Begin -->
 ## InteractiveLogon_MachineInactivityLimit
 
@@ -972,6 +1525,87 @@ Interactive logon: Message title for users attempting to log on This security se
 
 <!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-End -->
 
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Begin -->
+## InteractiveLogon_NumberOfPreviousLogonsToCache
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_NumberOfPreviousLogonsToCache
+```
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-Begin -->
+<!-- Description-Source-DDF -->
+Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 10 |
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-DFProperties-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Examples-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Begin -->
+## InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+```
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Description-Begin -->
+<!-- Description-Source-DDF -->
+Interactive logon: Prompt user to change password before expiration Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that's sufficiently strong. Default: 5 days.
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Description-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Editable-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value  | 5 |
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-DFProperties-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Examples-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-End -->
+
 <!-- InteractiveLogon_SmartCardRemovalBehavior-Begin -->
 ## InteractiveLogon_SmartCardRemovalBehavior
 
@@ -1226,6 +1860,56 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
 
 <!-- MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers-End -->
 
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Begin -->
+## MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+```
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Description-Begin -->
+<!-- Description-Source-DDF -->
+Microsoft network server: Amount of idle time required before suspending a session This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Description-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Editable-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-15]` |
+| Default Value  | 15 |
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Microsoft network server: Amount of idle time required before suspending session |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Examples-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-End -->
+
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsAlways-Begin -->
 ## MicrosoftNetworkServer_DigitallySignCommunicationsAlways
 
@@ -1359,6 +2043,88 @@ Microsoft network server: Digitally sign communications (if client agrees) This
 
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-End -->
 
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Begin -->
+## MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+```
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Description-Begin -->
+<!-- Description-Source-DDF -->
+Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled.
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Description-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Editable-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-DFProperties-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Examples-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Begin -->
+## MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+```
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Description-Begin -->
+<!-- Description-Source-DDF -->
+Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that's provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server. The options are: Off - the SPN isn't required or validated by the SMB server from a SMB client. Accept if provided by client - the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied. Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that's being requested to establish a connection. If no SPN is provided by client, or the SPN provided doesn't match, the session is denied. Default: Off All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505).
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Description-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Editable-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value  | 0 |
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-DFProperties-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Examples-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-End -->
+
 <!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Begin -->
 ## NetworkAccess_AllowAnonymousSIDOrNameTranslation
 
@@ -1540,6 +2306,227 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
 
 <!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares-End -->
 
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Begin -->
+## NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+```
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Don't allow storage of passwords and credentials for network authentication This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
+
+- If you enable this setting, Credential Manager doesn't store passwords and credentials on the computer.
+
+- If you disable or don't configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
+
+> [!NOTE]
+> When configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Description-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Editable-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-DFProperties-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Examples-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Begin -->
+## NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+```
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Let Everyone permissions apply to anonymous users This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group don't apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. If this policy is enabled, the Everyone SID is added to the token that's created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. Default: Disabled.
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Description-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Editable-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-DFProperties-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Network access: Let Everyone permissions apply to anonymous users |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-GpMapping-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Examples-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Begin -->
+## NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+```
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Named pipes that can be accessed anonymously This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Default: None.
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Description-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Editable-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Begin -->
+## NetworkAccess_RemotelyAccessibleRegistryPaths
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPaths
+```
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Remotely accessible registry paths This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> This security setting isn't available on earlier versions of Windows. The security setting that appears on computers running Windows XP, &quot;Network access: Remotely accessible registry paths&quot; corresponds to the &quot;Network access: Remotely accessible registry paths and subpaths&quot; security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths.
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Description-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Editable-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Begin -->
+## NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+```
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Remotely accessible registry paths and subpaths This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\Wins Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> On Windows XP, this security setting was called "Network access: Remotely accessible registry paths". If you configure this setting on a member of the Windows Server 2003 family that's joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths.
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Description-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Editable-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-End -->
+
 <!-- NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares-Begin -->
 ## NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
 
@@ -1646,6 +2633,130 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
 
 <!-- NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM-End -->
 
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Begin -->
+## NetworkAccess_SharesThatCanBeAccessedAnonymously
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharesThatCanBeAccessedAnonymously
+```
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Shares that can be accessed anonymously This security setting determines which network shares can accessed by anonymous users. Default: None specified.
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Description-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Editable-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Begin -->
+## NetworkAccess_SharingAndSecurityModelForLocalAccounts
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharingAndSecurityModelForLocalAccounts
+```
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Sharing and security model for local accounts This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify. Default on domain computers: Classic. Default on stand-alone computers: Guest only Important With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.
+
+> [!NOTE]
+> This setting doesn't affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services. Remote Desktop Services was called Terminal Services in previous versions of Windows Server. This policy will have no impact on computers running Windows 2000. When the computer isn't joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that's being used.
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Description-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Editable-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-DFProperties-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Examples-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Begin -->
+## NetworkSecurity_AllowLocalSystemNULLSessionFallback
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemNULLSessionFallback
+```
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network security: Allow LocalSystem NULL session fallback Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7.
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Description-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Editable-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-DFProperties-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Examples-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-End -->
+
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-Begin -->
 ## NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
 
@@ -1961,6 +3072,53 @@ Network security LAN Manager authentication level This security setting determin
 
 <!-- NetworkSecurity_LANManagerAuthenticationLevel-End -->
 
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Begin -->
+## NetworkSecurity_LDAPClientSigningRequirements
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_LDAPClientSigningRequirements
+```
+<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network security: LDAP client signing requirements This security setting determines the level of data signing that's requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) hasn't been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response doesn't indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.
+
+> [!CAUTION]
+> If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.
+
+> [!NOTE]
+> This setting doesn't have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller. Default: Negotiate signing.
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Description-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Editable-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value  | 0 |
+<!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-End -->
+
 <!-- NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients-Begin -->
 ## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
 
@@ -2320,6 +3478,97 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
 
 <!-- NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers-End -->
 
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Begin -->
+## RecoveryConsole_AllowAutomaticAdministrativeLogon
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+```
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Description-Begin -->
+<!-- Description-Source-DDF -->
+Recovery console: Allow automatic administrative logon This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console doesn't require you to provide a password, and it automatically logs on to the system. Default: This policy isn't defined and automatic administrative logon isn't allowed.
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Description-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Editable-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-DFProperties-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Recovery console: Allow automatic administrative logon |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-GpMapping-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Examples-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Begin -->
+## RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+```
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Description-Begin -->
+<!-- Description-Source-DDF -->
+Recovery console: Allow floppy copy and access to all drives and all folders Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on the computer. AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. NoCopyPrompt: Don't prompt when overwriting an existing file. Default: This policy isn't defined and the recover console SET command isn't available.
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Description-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Editable-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-DFProperties-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Examples-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-End -->
+
 <!-- Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn-Begin -->
 ## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
 
@@ -2436,6 +3685,138 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
 
 <!-- Shutdown_ClearVirtualMemoryPageFile-End -->
 
+<!-- SystemCryptography_ForceStrongKeyProtection-Begin -->
+## SystemCryptography_ForceStrongKeyProtection
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemCryptography_ForceStrongKeyProtection
+```
+<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Description-Begin -->
+<!-- Description-Source-DDF -->
+System Cryptography: Force strong key protection for user keys stored on the computer This security setting determines if users' private keys require a password to be used. The options are: User input isn't required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public key infrastructure. Default: This policy isn't defined.
+<!-- SystemCryptography_ForceStrongKeyProtection-Description-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SystemCryptography_ForceStrongKeyProtection-Editable-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value  | 0 |
+<!-- SystemCryptography_ForceStrongKeyProtection-DFProperties-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SystemCryptography_ForceStrongKeyProtection-Examples-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Begin -->
+## SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+```
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Description-Begin -->
+<!-- Description-Source-DDF -->
+System objects: Require case insensitivity for non-Windows subsystems This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting doesn't allow the Win32 subsystem to become case sensitive. Default: Enabled.
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Description-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Editable-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-DFProperties-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | System objects: Require case insensitivity for non-Windows subsystems |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-GpMapping-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Examples-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Begin -->
+## SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+```
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Description-Begin -->
+<!-- Description-Source-DDF -->
+System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who aren't administrators to read shared objects but not allowing these users to modify shared objects that they didn't create. Default: Enabled.
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Description-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Editable-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-DFProperties-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Examples-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-End -->
+
 <!-- UserAccountControl_AllowUIAccessApplicationsToPromptForElevation-Begin -->
 ## UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
 
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 678047a74c..1ae1768b2e 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -54,7 +54,7 @@ members that aren't specified in the policy are removed.
 <!-- Configure-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
+> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Microsoft Entra groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
 >
 > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersAndGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
 <!-- Configure-Editable-End -->
@@ -166,21 +166,21 @@ where:
 
     > [!NOTE]
     > When specifying member names of the user accounts, you must use following format - AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
-For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
+For adding Microsoft Entra groups, you need to specify the Microsoft Entra group SID. Microsoft Entra group names are not supported with this policy.
 For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
 
 See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
 
 > [!IMPORTANT]
 >
-> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
+> - `<add member>` and `<remove member>` can use a Microsoft Entra SID or the user's name. For adding or removing Microsoft Entra groups using this policy, you must use the group's SID. Microsoft Entra group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
 > - When specifying a SID in the `<add member>` or `<remove member>`, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
 > - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
 > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
 
-**Example 1**: Azure Active Directory focused.
+**Example 1**: Microsoft Entra ID focused.
 
-The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
+The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with a Microsoft Entra account "bob@contoso.com" and a Microsoft Entra group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on a Microsoft Entra joined machine.
 
 ```xml
 <GroupConfiguration>
@@ -192,7 +192,7 @@ The following example updates the built-in administrators group with the SID **S
 </GroupConfiguration>
 ```
 
-**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account.
+**Example 2**: Replace / Restrict the built-in administrators group with a Microsoft Entra user account.
 
 > [!NOTE]
 > When using the 'R' replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
@@ -209,7 +209,7 @@ The following example updates the built-in administrators group with the SID **S
 
 **Example 3**: Update action for adding and removing group members on a hybrid joined machine.
 
-The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
+The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Microsoft Entra group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
 ```xml
 <GroupConfiguration>
@@ -223,7 +223,7 @@ The following example shows how you can update a local group (**Administrators**
 ```
 
 > [!NOTE]
-> When Azure Active Directory group SID's are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+> When Microsoft Entra group SID's are added to local groups, Microsoft Entra account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
 >
 > - Administrators
 > - Users
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index ecefad6b6c..79b92833b7 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -42,24 +42,24 @@ These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-
 
 <!-- AADGroupMembershipCacheValidityInDays-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy controls for how many days, AAD group membership cache is allowed to be used for Assigned Access configurations targeting AAD groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
+This policy controls for how many days, Microsoft Entra group membership cache is allowed to be used for Assigned Access configurations targeting Microsoft Entra groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
 <!-- AADGroupMembershipCacheValidityInDays-Description-End -->
 
 <!-- AADGroupMembershipCacheValidityInDays-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Steps to use this policy correctly:
 
-1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices.
+1. Create a device configuration profile for kiosk, which targets Microsoft Entra groups. Assign it to the HoloLens devices.
 1. Create a custom OMA URI-based device configuration. Set this policy value to the chosen number of days greater than zero (`0`). Then assign the configuration to the HoloLens devices.
     - The URI value should be entered in OMA-URI text box as `./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays`
     - The value can be any integer in the allowed range.
 1. Enroll the HoloLens devices. Verify that both configurations apply to the device.
-1. When internet is available, sign in as an Azure AD user. Once the user signs-in, and Azure AD group membership is confirmed successfully, the cache will be created.
+1. When internet is available, sign in as a Microsoft Entra user. Once the user signs-in, and Microsoft Entra group membership is confirmed successfully, the cache will be created.
 1. You can now take the HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user. The key point is that any Azure AD user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of an Azure AD group to which the kiosk configuration is targeted.
+1. Steps 4 and 5 can be repeated for any other Microsoft Entra user. The key point is that any Microsoft Entra user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of a Microsoft Entra group to which the kiosk configuration is targeted.
 
 > [!NOTE]
-> Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment.
+> Until you do step 4 for a Microsoft Entra user, the user will experience failure behavior similar to a disconnected environment.
 <!-- AADGroupMembershipCacheValidityInDays-Editable-End -->
 
 <!-- AADGroupMembershipCacheValidityInDays-DFProperties-Begin -->
@@ -212,7 +212,7 @@ On a device where you configure this policy, the user specified in the policy ne
 > [!NOTE]
 >
 > - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior.
-> - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users.
+> - Auto-logon is only supported for Microsoft accounts and Microsoft Entra users.
 <!-- AutoLogonUser-Editable-End -->
 
 <!-- AutoLogonUser-DFProperties-Begin -->
@@ -507,7 +507,7 @@ The following XML string is an example of the value for this policy:
 
 <!-- ConfigureSharedAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are AAD accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access AAD resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
+This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are Microsoft Entra accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access Microsoft Entra resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
 <!-- ConfigureSharedAccount-Description-End -->
 
 <!-- ConfigureSharedAccount-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index a48e9dd24b..68c365431c 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -4,7 +4,7 @@ description: Learn more about the Power Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -450,7 +450,7 @@ This policy setting allows you to specify the period of inactivity before Window
 
 - If you disable or don't configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- HibernateTimeoutOnBattery-Description-End -->
 
 <!-- HibernateTimeoutOnBattery-Editable-Begin -->
@@ -510,7 +510,7 @@ This policy setting allows you to specify the period of inactivity before Window
 
 - If you disable or don't configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- HibernateTimeoutPluggedIn-Description-End -->
 
 <!-- HibernateTimeoutPluggedIn-Editable-Begin -->
@@ -1144,7 +1144,7 @@ This policy setting allows you to specify the period of inactivity before Window
 
 - If you disable or don't configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- StandbyTimeoutOnBattery-Description-End -->
 
 <!-- StandbyTimeoutOnBattery-Editable-Begin -->
@@ -1204,7 +1204,7 @@ This policy setting allows you to specify the period of inactivity before Window
 
 - If you disable or don't configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- StandbyTimeoutPluggedIn-Description-End -->
 
 <!-- StandbyTimeoutPluggedIn-Editable-Begin -->
@@ -1258,7 +1258,7 @@ If the user has configured a slide show to run on the lock screen when the machi
 
 <!-- TurnOffHybridSleepOnBattery-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off Hybrid Sleep.
 
 - If you enable this policy setting, a hiberfile isn't generated when the system transitions to sleep (Stand By).
 
@@ -1285,7 +1285,7 @@ This policy setting allows you to turn off hybrid sleep.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | . |
-| 1 | Hybrid sleep. |
+| 1 | Hybrid Sleep. |
 <!-- TurnOffHybridSleepOnBattery-AllowedValues-End -->
 
 <!-- TurnOffHybridSleepOnBattery-GpMapping-Begin -->
@@ -1325,7 +1325,7 @@ This policy setting allows you to turn off hybrid sleep.
 
 <!-- TurnOffHybridSleepPluggedIn-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off Hybrid Sleep.
 
 - If you enable this policy setting, a hiberfile isn't generated when the system transitions to sleep (Stand By).
 
@@ -1352,7 +1352,7 @@ This policy setting allows you to turn off hybrid sleep.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | . |
-| 1 | Hybrid sleep. |
+| 1 | Hybrid Sleep. |
 <!-- TurnOffHybridSleepPluggedIn-AllowedValues-End -->
 
 <!-- TurnOffHybridSleepPluggedIn-GpMapping-Begin -->
@@ -1398,7 +1398,7 @@ This policy setting allows you to specify the period of inactivity before Window
 
 - If you disable or don't configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- UnattendedSleepTimeoutOnBattery-Description-End -->
 
 <!-- UnattendedSleepTimeoutOnBattery-Editable-Begin -->
@@ -1459,7 +1459,7 @@ This policy setting allows you to specify the period of inactivity before Window
 
 - If you disable or don't configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- UnattendedSleepTimeoutPluggedIn-Description-End -->
 
 <!-- UnattendedSleepTimeoutPluggedIn-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index b272736200..f96c5acb6a 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -93,7 +93,7 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con
 <!-- Description-Source-ADMX -->
 This policy setting determines whether Clipboard contents can be synchronized across devices.
 
-- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account.
+- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Microsoft Entra account.
 
 - If you disable this policy setting, Clipboard contents can't be shared to other devices.
 
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index ff6dc5d401..e112f3b6d8 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -95,13 +95,13 @@ To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/ove
 
 <!-- LoadAadCredKeyFromProfile-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts.
+Allow encrypted DPAPI cred keys to be loaded from user profiles for Microsoft Entra accounts.
 <!-- LoadAadCredKeyFromProfile-Description-End -->
 
 <!-- LoadAadCredKeyFromProfile-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs.
+This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Microsoft Entra joined VMs.
 <!-- LoadAadCredKeyFromProfile-Editable-End -->
 
 <!-- LoadAadCredKeyFromProfile-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 69710b569d..83c65f6386 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -20,7 +20,7 @@ ms.topic: reference
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!IMPORTANT]
-> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups.
+> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Microsoft Entra groups.
 >
 > Don't apply both policies to the same device, it's unsupported and may yield unpredictable results.
 <!-- RestrictedGroups-Editable-End -->
@@ -135,7 +135,7 @@ Descriptions of the properties:
 
 - `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
 
-- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Microsoft Entra ID, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
 
 - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
 
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 472bb62d54..624d6566b7 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -102,7 +102,7 @@ Allow search and Cortana to search cloud sources like OneDrive and SharePoint.
 
 <!-- AllowCortanaInAAD-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Allow the cortana opt-in page during windows setup out of the box experience.
+Allow the Cortana opt-in page during windows setup out of the box experience.
 <!-- AllowCortanaInAAD-Description-End -->
 
 <!-- AllowCortanaInAAD-Editable-Begin -->
@@ -124,8 +124,8 @@ Allow the cortana opt-in page during windows setup out of the box experience.
 
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Not allowed. The Cortana consent page won't appear in AAD OOBE during setup. |
-| 1 | Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. |
+| 0 (Default) | Not allowed. The Cortana consent page won't appear in Microsoft Entra ID OOBE during setup. |
+| 1 | Allowed. The Cortana consent page will appear in Azure Microsoft Entra ID OOBE during setup. |
 <!-- AllowCortanaInAAD-AllowedValues-End -->
 
 <!-- AllowCortanaInAAD-GpMapping-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index f29783c6d0..ef1082ff7d 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -354,7 +354,7 @@ Configures the use of passwords for Windows features.
 
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Microsoft Entra joined.
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-End -->
 
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index a62fd83d3f..838e2faf41 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 09/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -974,68 +974,6 @@ Enabling this policy hides "Change account settings" from appearing in the user
 
 <!-- HideChangeAccountSettings-End -->
 
-<!-- HideCopilotButton-Begin -->
-## HideCopilotButton
-
-<!-- HideCopilotButton-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
-<!-- HideCopilotButton-Applicability-End -->
-
-<!-- HideCopilotButton-OmaUri-Begin -->
-```User
-./User/Vendor/MSFT/Policy/Config/Start/HideCopilotButton
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Start/HideCopilotButton
-```
-<!-- HideCopilotButton-OmaUri-End -->
-
-<!-- HideCopilotButton-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy setting allows you to hide the Copilot button on the Taskbar. If you enable this policy setting, the Copilot button will be hidden and the Settings toggle will be disabled.
-<!-- HideCopilotButton-Description-End -->
-
-<!-- HideCopilotButton-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- HideCopilotButton-Editable-End -->
-
-<!-- HideCopilotButton-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
-<!-- HideCopilotButton-DFProperties-End -->
-
-<!-- HideCopilotButton-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Copilot button shown. |
-| 1 | Copilot button hidden. |
-<!-- HideCopilotButton-AllowedValues-End -->
-
-<!-- HideCopilotButton-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | HideCopilotButton |
-| Path | Taskbar > AT > StartMenu |
-<!-- HideCopilotButton-GpMapping-End -->
-
-<!-- HideCopilotButton-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- HideCopilotButton-Examples-End -->
-
-<!-- HideCopilotButton-End -->
-
 <!-- HideFrequentlyUsedApps-Begin -->
 ## HideFrequentlyUsedApps
 
@@ -1492,7 +1430,7 @@ To validate this policy, do the following steps:
 <!-- HideRecommendedPersonalizedSites-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.1928] and later |
 <!-- HideRecommendedPersonalizedSites-Applicability-End -->
 
 <!-- HideRecommendedPersonalizedSites-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 20532820a0..0d0a105c89 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -113,12 +113,12 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage
 <!-- Description-Source-ADMX -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
 
-AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+AllowCommercialDataPipeline configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
 
@@ -198,7 +198,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher
 4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
@@ -574,7 +574,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
 <!-- AllowMicrosoftManagedDesktopProcessing-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
 hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
 This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
@@ -762,7 +762,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher
 4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
@@ -884,12 +884,12 @@ Specifies whether to allow the user to factory reset the device by using control
 <!-- Description-Source-ADMX -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
 
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher.
 
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
index 694ac12553..62451125d8 100644
--- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -39,12 +39,12 @@ ms.topic: reference
 
 <!-- ConfigureTenantRestrictions-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
+This setting enables and configures the device-based tenant restrictions feature for Microsoft Entra ID.
 
-When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
+When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Microsoft Entra tenant.
 
 > [!NOTE]
-> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
+> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Microsoft Entra tenant Restrictions for more details.
 
 <https://go.microsoft.com/fwlink/?linkid=2148762>
 
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cf9c04b176..9c9630b5ac 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/28/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -293,7 +293,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
 
 <!-- AllowOptionalContent-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
+This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
 <!-- AllowOptionalContent-Description-End -->
 
 <!-- AllowOptionalContent-Editable-Begin -->
@@ -1281,7 +1281,7 @@ If the status is set to Disabled or Not Configured, Windows will check for avail
 > If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
 
 > [!NOTE]
-> This policy isn't supported on %WINDOWS_ARM_VERSION_6_2%. Setting this policy won't have any effect on %WINDOWS_ARM_VERSION_6_2% PCs.
+> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs.
 <!-- DetectionFrequency-Description-End -->
 
 <!-- DetectionFrequency-Editable-Begin -->
@@ -1459,7 +1459,7 @@ Allows Windows Update Agent to determine the download URL when it's missing from
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-OmaUri-Begin -->
@@ -1528,7 +1528,7 @@ Configure this policy to specify whether to receive **Windows Driver Updates** f
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-OmaUri-Begin -->
@@ -1597,7 +1597,7 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-OmaUri-Begin -->
@@ -1666,7 +1666,7 @@ Configure this policy to specify whether to receive **Other Updates** from Windo
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index f44eaf71c7..e323789f73 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -93,7 +93,7 @@ For example, the following syntax grants user rights to Authenticated Users and
 <![CDATA[Authenticated Users&#xF000;Replicator]]>
 ```
 
-For example, the following syntax grants user rights to two specific Azure Active Directory (Azure AD) users from Contoso, user1 and user2:
+For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:
 
 ```xml
 <![CDATA[AzureAD\user1@contoso.com&#xF000;AzureAD\user2@contoso.com]]>
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 6f0c889771..7f43647495 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,8 +18,6 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- WindowsLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsLogon-Editable-End -->
@@ -45,7 +43,7 @@ This policy setting controls whether a device will automatically sign in and loc
 
 This only occurs if the last interactive user didn't sign out before the restart or shutdown. 
 
-If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
+If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
 
 - If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. 
 
@@ -106,20 +104,20 @@ After enabling this policy, you can configure its settings through the ConfigAut
 
 <!-- ConfigAutomaticRestartSignOn-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign on won't occur and this policy doesn't need to be configured.
+This policy setting controls the configuration under which an automatic restart and sign-on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign-on won't occur and this policy doesn't need to be configured.
 
 - If you enable this policy setting, you can choose one of the following two options:
 
-1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
+1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign-on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
 
 BitLocker is suspended during updates if:
 
 - The device doesn't have TPM 2.0 and PCR7, or
 - The device doesn't use a TPM-only protector.
 
-2. "Always Enabled" specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
+2. "Always Enabled" specifies that automatic sign-on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign-on should only be run under this condition if you are confident that the configured device is in a secure physical location.
 
-- If you disable or don't configure this setting, automatic sign on will default to the "Enabled if BitLocker is on and not suspended" behavior.
+- If you disable or don't configure this setting, automatic sign-on will default to the "Enabled if BitLocker is on and not suspended" behavior.
 <!-- ConfigAutomaticRestartSignOn-Description-End -->
 
 <!-- ConfigAutomaticRestartSignOn-Editable-Begin -->
@@ -565,7 +563,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
 <!-- OverrideShellProgram-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
 <!-- OverrideShellProgram-Applicability-End -->
 
 <!-- OverrideShellProgram-OmaUri-Begin -->
@@ -591,7 +589,6 @@ OverrideShellProgram policy allows IT admin to configure the shell program for W
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
-| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- OverrideShellProgram-DFProperties-End -->
 
 <!-- OverrideShellProgram-AllowedValues-Begin -->
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 1b4a1c636d..d0ae5d1f19 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -96,7 +96,7 @@ Node for the Autopilot Reset operation.
 
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-Begin -->
 <!-- Description-Source-DDF -->
-Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Microsoft Entra ID and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-End -->
 
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Editable-Begin -->
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index ce0d74fe63..1ccd2b55b5 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the SecureAssessment CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -327,7 +327,7 @@ Indicates if printing is required by the app.
 
 <!-- Device-TesterAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-The user name of the test taking account. To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username.
+The user name of the test taking account. To specify a domain account, use domain\user. To specify a Microsoft Entra account, use username@tenant.com. To specify a local account, use the username.
 <!-- Device-TesterAccount-Description-End -->
 
 <!-- Device-TesterAccount-Editable-Begin -->
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 4c1b79cfc1..4c9892dc4c 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -106,7 +106,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
 
 <!-- Device-DeviceAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation.
+Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Microsoft Entra ID: 1. Set the UserPrincipalName (for Microsoft Entra ID). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Microsoft Entra ID. 4. Get the ErrorContext in case something goes wrong during validation.
 <!-- Device-DeviceAccount-Description-End -->
 
 <!-- Device-DeviceAccount-Editable-Begin -->
@@ -333,7 +333,7 @@ Possible error values:
 | **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
 | --- | --- | --- |
 | 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Azure AD accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Microsoft Entra accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
 | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
 | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
 | 5 | Saving account information | Unable to save account details to the system. |
@@ -499,7 +499,7 @@ Password for the device account. Get is allowed here, but will always return a b
 
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Microsoft Entra ID).
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Description-End -->
 
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Editable-Begin -->
@@ -625,7 +625,7 @@ Username of the device account when you are using Active Directory. To use a dev
 
 <!-- Device-DeviceAccount-UserPrincipalName-Description-Begin -->
 <!-- Description-Source-DDF -->
-User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+User principal name (UPN) of the device account. To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.
 <!-- Device-DeviceAccount-UserPrincipalName-Description-End -->
 
 <!-- Device-DeviceAccount-UserPrincipalName-Editable-Begin -->
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 7c469706c0..97551d7680 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -52,7 +52,7 @@ When RequireNetworkInOOBE is true, when the device goes through OOBE at first si
   -  True - Require network in OOBE.
   -  False - No network connection requirement in OOBE.
 
-Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Microsoft Entra credentials. There is no option to skip the network connection and create a local account.
 
 ## Related topics
 
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 9125eb9388..2ca71c81c0 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -29,6 +29,15 @@ items:
       href: ../structure-of-oma-dm-provisioning-files.md
     - name: Server requirements for OMA DM
       href: ../server-requirements-windows-mdm.md
+  - name: Declared Configuration protocol
+    href: ../declared-configuration.md
+    items:
+    - name: Declared Configuration extensibility
+      href: ../declared-configuration-extensibility.md
+    - name: DeclaredConfiguration CSP
+      href: declaredconfiguration-csp.md
+    - name: DMClient CSP
+      href: dmclient-csp.md
   - name: Configuration service providers (CSPs)
     expanded: true
     items:
@@ -652,6 +661,11 @@ items:
       items:
       - name: CustomDeviceUI DDF file
         href: customdeviceui-ddf.md
+    - name: DeclaredConfiguration
+      href: declaredconfiguration-csp.md
+      items:
+      - name: DeclaredConfiguration DDF file
+        href: declaredconfiguration-ddf-file.md
     - name: Defender
       href: defender-csp.md
       items:
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 99272efc31..3e5e3a5468 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -964,7 +964,7 @@ Determines the level of data encryption required for the connection.
 
 <!-- Device-{ProfileName}-DeviceCompliance-Description-Begin -->
 <!-- Description-Source-DDF -->
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
 <!-- Device-{ProfileName}-DeviceCompliance-Description-End -->
 
 <!-- Device-{ProfileName}-DeviceCompliance-Editable-Begin -->
@@ -1003,7 +1003,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
 
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
 
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->
@@ -5261,7 +5261,7 @@ Determines the level of data encryption required for the connection.
 
 <!-- User-{ProfileName}-DeviceCompliance-Description-Begin -->
 <!-- Description-Source-DDF -->
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
 <!-- User-{ProfileName}-DeviceCompliance-Description-End -->
 
 <!-- User-{ProfileName}-DeviceCompliance-Editable-Begin -->
@@ -5300,7 +5300,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
 
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
 
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 9a48d7372f..347afc4322 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -12,7 +12,7 @@ items:
                 href: mdm-overview.md
               - name: What's new in MDM
                 href: new-in-windows-mdm-enrollment-management.md
-              - name: Azure Active Directory integration
+              - name: Microsoft Entra integration
                 href: azure-active-directory-integration-with-mdm.md
               - name: Transitioning to modern management
                 href: manage-windows-10-in-your-organization-modern-management.md
@@ -48,6 +48,8 @@ items:
                 href: enterprise-app-management.md
               - name: Manage updates
                 href: device-update-management.md
+              - name: Manage Copilot in Windows
+                href: manage-windows-copilot.md
               - name: Secured-Core PC Configuration Lock
                 href: config-lock.md
               - name: Certificate renewal
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 5a140f98e2..97c1386a73 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -143,7 +143,7 @@
           href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
         - name: Cortana at work testing scenarios
           href: cortana-at-work/cortana-at-work-testing-scenarios.md
-        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+        - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
           href: cortana-at-work/cortana-at-work-scenario-1.md
         - name: Test scenario 2 - Run a Bing search with Cortana
           href: cortana-at-work/cortana-at-work-scenario-2.md
@@ -163,7 +163,7 @@
           href: cortana-at-work/cortana-at-work-o365.md
         - name: Testing scenarios using Cortana in your business or organization
           href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
-        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+        - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
           href: cortana-at-work/test-scenario-1.md
         - name: Test scenario 2 - Run a quick search with Cortana at work
           href: cortana-at-work/test-scenario-2.md
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index 5dc0aa37ec..8cc906cd9f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -29,7 +29,7 @@ Your employees can use Cortana to help manage their day and be more productive b
 ### Before you begin
 There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier.
 
-- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana&#39;s notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
+- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana&#39;s notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
 
 - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 2f8c615755..9bd3833b21 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -38,15 +38,17 @@ Cortana requires a PC running Windows 10, version 1703 or later, and the followi
 | Software | Minimum version |
 |---------|---------|
 |Client operating system     | - Windows 10, version 2004 (recommended)  <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD)    | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required.        |
+|Microsoft Entra ID    | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required.        |
 |Additional policies (Group Policy and Mobile Device Management (MDM))     |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help.  |
 
 >[!NOTE]
 >For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
 
-## Signing in using Azure AD
+<a name='signing-in-using-azure-ad'></a>
 
-Your organization must have an Azure AD tenant and your employees&#39; devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/)
+## Signing in using Microsoft Entra ID
+
+Your organization must have a Microsoft Entra tenant and your employees&#39; devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/)
 
 ## How is my data processed by Cortana?
 
@@ -54,7 +56,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
 
 ### Cortana in Windows 10, version 2004 and later, or Windows 11
 
-Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
+Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
 
 #### How does Microsoft store, retain, process, and use Customer Data in Cortana?
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 8cfe781f37..e0881606c0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -72,7 +72,7 @@ For specific info about how to set, manage, and use each of these MDM policies t
 - **AllowMicrosoftAccountConnection**
   - **Group policy**: None
   - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
-  - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
+  - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting.
 
 - **Allow search and Cortana to use location**
   - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 421e8959d9..28baf34fab 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
 ---
-title: Sign into Azure AD, enable the wake word, and try a voice query
+title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query
 description: A test scenario walking you through signing in and managing the notebook.
 ms.prod: windows-client
 ms.collection: tier3
@@ -13,14 +13,14 @@ ms.date: 12/31/2017
 ms.topic: article
 ---
 
-# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
+# Test scenario 1 – Sign into Microsoft Entra ID, enable the wake word, and try a voice query
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 
 >[!NOTE]
 >The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
 
-1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
+1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
 
 2. Select the &quot;…&quot; menu and select **Talking to Cortana**.
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 6a8fa6528d..9260043d11 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -19,7 +19,7 @@ ms.technology: itpro-configure
 
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
 
-- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
+- [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
 - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
 - [Set a reminder](cortana-at-work-scenario-3.md)
 - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index 01d6c2db85..b9fd7b9023 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -49,4 +49,4 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
 Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.
 
 ## How the Bing Answer policy configuration is applied
-Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
+Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
index 6f3ffd8173..cd72adceb2 100644
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@@ -16,11 +16,11 @@ ms.technology: itpro-configure
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 
-This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook.
+This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook.
 
 ## Sign in with your work or school account
 
-This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account.
 
 1. Click on the  **Cortana**  icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
 
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
index 081ea5877a..206010600b 100644
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -28,7 +28,7 @@ This scenario helps you search for both general upcoming meetings, and specific
 
 This process helps you find your upcoming meetings.
 
-1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
 
 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
 
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
index 17a27dc786..f8dfb7cf8e 100644
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -25,7 +25,7 @@ This scenario helps you to send an email to a co-worker listed in your work addr
 
 This process helps you to send a quick message to a co-worker from the work address book.
 
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
 
 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
 
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 0ab80c34f4..04fb8e95d9 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -60,7 +60,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "v-stchambers",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 0fdc2d15c1..7dc2ae5f02 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -65,7 +65,7 @@ There are several kiosk configuration methods that you can choose from, dependin
 
     ![icon that represents a user account.](images/user.png)
 
-    The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+    The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
 
 
 >[!IMPORTANT]
@@ -79,9 +79,9 @@ You can use this method | For this edition | For this kiosk account type
 --- | --- | ---
 [Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
 [Assigned access cmdlets](kiosk-single-app.md#powershell)  | Pro, Ent, Edu | Local standard user
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD 
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID 
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
+[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
 
 <span id="classic" />
 
@@ -89,9 +89,9 @@ You can use this method | For this edition | For this kiosk account type
 
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD 
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID 
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
+[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
 
 <span id="desktop" />
 
@@ -99,9 +99,9 @@ You can use this method | For this edition | For this kiosk account type
 
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
-[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD
-[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD  
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
+[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID
+[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID  
 
 ## Summary of kiosk configuration methods
 
@@ -109,11 +109,11 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
 --- | --- | --- | :---: | :---:
 [Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️  |
 [Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️  |
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️  | ✔️
-Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️
-[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | 
-[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD |  | ✔️
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️  |
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️  | ✔️
+Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✔️ | ✔️
+[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | 
+[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID |  | ✔️
 
 
 >[!NOTE]
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 7891caf75d..9e599f8790 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -29,7 +29,7 @@ When the assigned access kiosk configuration is applied on the device, certain p
 
 ## Group Policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  These users include local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  These users include local users, domain users, and Microsoft Entra users.
 
 | Setting |	Value |
 | --- | --- |
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 0443a3047c..05323a4d02 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -216,7 +216,7 @@ Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-exper
 You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
 
 > [!NOTE]
-> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
 
 > [!TIP]
 > If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. 
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index fc9e86e27c..4bd3071b0d 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -52,7 +52,7 @@ For sample XML configurations for the different app combinations, see [Samples f
 >
 >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. 
 
--   A domain, Azure Active Directory, or local user account.
+-   A domain, Microsoft Entra ID, or local user account.
 
 -   A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
 
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index db0f2a955f..e74ea773a1 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -85,7 +85,7 @@ You have several options for configuring your single-app kiosk.
 
 You can use **Settings** to quickly configure one or a few devices as a kiosk. 
 
-When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
 
 - If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
 
@@ -235,17 +235,17 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 
 3. Enable account management:
 
-    :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+    :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
 
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
-      - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+      - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
-        You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+        You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
       - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
 
@@ -323,7 +323,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 >
 >Account type:
 > - Local standard user
-> - Azure AD
+> - Microsoft Entra ID
 
 Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 0df2e63128..89f93fc919 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -311,7 +311,7 @@ The following example hides the taskbar:
 ```
 
 >[!IMPORTANT]
->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
+>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 
 #### Configs
 
@@ -322,8 +322,8 @@ The full multi-app assigned access experience can only work for non-admin users.
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
-- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
+- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
+- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 >[!NOTE]
 >Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
@@ -365,7 +365,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 >[!WARNING]
 >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -373,7 +373,7 @@ Individual accounts are specified using `<Account>`.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 >[!NOTE]
->For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+>For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 <Configs>
@@ -388,7 +388,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   <Config>
@@ -406,7 +406,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
+- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -416,7 +416,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   ```
 
   >[!NOTE]
-  >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  >If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
 
@@ -588,7 +588,7 @@ When the multi-app assigned access configuration is applied on the device, certa
 
 ### Group policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
 
 | Setting | Value |
 | --- | --- |
diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md
index 80c498eb6e..b2c6c66985 100644
--- a/windows/configuration/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md
@@ -203,7 +203,7 @@ The following example hides the taskbar:
 ```
 
 > [!IMPORTANT]
-> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
+> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 
 #### Configs
 
@@ -214,8 +214,8 @@ The full multi-app assigned access experience can only work for non-admin users.
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
-- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
+- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
+- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 > [!NOTE]
 > Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
@@ -257,7 +257,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 > [!WARNING]
 > Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -265,7 +265,7 @@ Individual accounts are specified using `<Account>`.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 > [!NOTE]
-> For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 <Configs>
@@ -280,7 +280,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   <Config>
@@ -298,7 +298,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
+- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -308,7 +308,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   ```
 
   > [!NOTE]
-  > If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
 
diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
index b3207522a4..5a71baac61 100644
--- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
@@ -22,9 +22,11 @@ When applying a provisioning package (PPKG) containing power settings, elevated
 
 To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings).
 
-## Unable to perform bulk enrollment in Azure AD
+<a name='unable-to-perform-bulk-enrollment-in-azure-ad'></a>
 
-When [enrolling devices into Azure AD using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+## Unable to perform bulk enrollment in Microsoft Entra ID
+
+When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
 
 > [!NOTE]
 > When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 4ea1962aa4..46ddabb9da 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -44,12 +44,12 @@ The desktop wizard helps you configure the following settings in a provisioning
 - Configure the device for shared use
 - Remove pre-installed software
 - Configure Wi-Fi network 
-- Enroll device in Active Directory or Azure Active Directory 
+- Enroll device in Active Directory or Microsoft Entra ID 
 - Create local administrator account 
 - Add applications and certificates
 
 >[!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
 Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. 
 
@@ -100,17 +100,17 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 3. Enable account management:
 
-    :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+    :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
 
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
-      - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+      - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
-        You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+        You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
       - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
 
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index e92747be63..22b8f9ad65 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -47,7 +47,7 @@ Windows Configuration Designer can create provisioning packages for Windows clie
 - Windows Server 2008 R2
 
 >[!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
 ## Install Windows Configuration Designer
 
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index a778b86f70..96dce6d256 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -73,8 +73,8 @@ The following table describes settings that you can configure using the wizards
 | --- | --- | --- | --- | --- |
 | Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove pre-installed software | ✔️ | ✔️ | ✔️ |
 | Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ |
-| Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ |
-| Bulk Enrollment in Azure AD | Enroll device in Azure Active Directory using Bulk Token</br></br> [Set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Azure AD enrollment. | ✔️ | ✔️ | ✔️ |
+| Account management | Enroll device in Active Directory, enroll device in Microsoft Entra ID, or create a local administrator account | ✔️ | ✔️ | ✔️ |
+| Bulk Enrollment in Microsoft Entra ID | Enroll device in Microsoft Entra ID using Bulk Token</br></br> [Set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment. | ✔️ | ✔️ | ✔️ |
 | Add applications | Install applications using the provisioning package.  | ✔️ | ✔️ | ❌ |
 | Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ |
 | Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ |
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 41f4968fe9..c8ef487740 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -105,7 +105,7 @@ For more information, see [Using PowerShell scripting with the WMI Bridge Provid
 
 ## Guidance for accounts on shared PCs
 
-- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Microsoft Entra ID and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
 
 - Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
 
@@ -150,4 +150,4 @@ To troubleshoot Shared PC, you can use the following tools:
 
 [UWP-1]: /uwp/api/windows.system.profile.sharedmodesettings
 [UWP-2]: /uwp/api/windows.system.profile.educationsettings
-[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
\ No newline at end of file
+[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 1678247efe..20e2c8f6fc 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -15,7 +15,7 @@ ms.technology: itpro-configure
 
 # Accounts (Windows Configuration Designer reference)
 
-Use these settings to join a device to an Active Directory domain or an Azure Active Directory tenant, or to add local user accounts to the device.
+Use these settings to join a device to an Active Directory domain or a Microsoft Entra tenant, or to add local user accounts to the device.
 
 ## Applies to
 
@@ -28,7 +28,7 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac
 
 ## Azure
 
-The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
+The **Azure > Authority** and **Azure > BPRT** settings for bulk Microsoft Entra enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Microsoft Entra enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
 
 - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
 - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index 97e8ca8ceb..3168b7df93 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -85,7 +85,7 @@ Use *Default* to specify a name that matches one of the search providers you ent
 Some countries/regions require specific, default search providers. The following table lists the applicable countries/regions and information for configuring the necessary search provider.
 
 >[!NOTE]
->For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey.
+>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Türkiye.
 
 
 
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index fbfb42be13..9bff17847b 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -29,7 +29,7 @@ Use these settings to configure settings for accounts allowed on the shared PC.
 
 | Setting | Value | Description |
 | --- | --- | --- |
-| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account.  |
+| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Microsoft Entra account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Microsoft Entra ID, or local standard account.  |
 | DeletionPolicy  | - Delete immediately </br>- Delete at disk space threshold</br>- Delete at disk space threshold and inactive threshold | - **Delete immediately** deletes the account on sign out.</br>- **Delete at disk space threshold** starts deleting accounts when available disk space falls below the threshold you set for `DiskLevelDeletion`. It stops deleting accounts when the available disk space reaches the threshold you set for `DiskLevelCaching`. Accounts are deleted in order of oldest accessed to most recently accessed.</br>- **Delete at disk space threshold and inactive threshold** applies the same disk space checks as noted above. It also deletes accounts if they haven't signed in within the number of days in `InactiveThreshold`.  |
 | DiskLevelCaching  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.  |
 | DiskLevelDeletion  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.  |
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index 2fd7a6d426..d5071fb0e0 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -43,7 +43,7 @@ When set to True, students can print in the Take A Test app.
 
 Enter the account to use when taking a test.
 
-To specify a domain account, enter **domain\user**. To specify an Azure AD account, enter `username@tenant.com`. To specify a local account, enter the username.
+To specify a domain account, enter **domain\user**. To specify a Microsoft Entra account, enter `username@tenant.com`. To specify a local account, enter the username.
 
 ## Related articles
 
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index d5e531d913..f2ae2c2447 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -45,10 +45,10 @@ A device account is a Microsoft Exchange account that's connected with Skype for
 | Email  | Email address  | Email address of the device account.  |
 | ExchangeServer  | Exchange Server  | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails.  |
 | Password  | Password  | Password for the device account.  |
-| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD.  |
+| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Microsoft Entra ID.  |
 | SipAddress  | Session Initiation Protocol (SIP) address   | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails.  |
 | UserName  | User name  | Username of the device account when using Active Directory.  |
-| UserPrincipalName  | User principal name (UPN)  | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.  |
+| UserPrincipalName  | User principal name (UPN)  | To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.  |
 | ValidateAndCommit  | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
 
 ## Dot3
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index 34434f0a9d..cda104c484 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
 ms.technology: itpro-configure
 ms.author: lizlong
 author: lizgt2000
-ms.date: 06/27/2023
+ms.date: 08/11/2023
 ms.reviewer: 
 manager: aaroncz
 ms.localizationpriority: medium
@@ -16,6 +16,9 @@ appliesto:
   - ✅ <b>Windows 11</b>
 ---
 
+<!-- MAXADO-8138357 -->
+<!-- MAXADO-8138352 -->
+
 # Accessibility information for IT professionals
 
 Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
@@ -34,7 +37,7 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
 
 ## Vision
 
-- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
+- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages.
 
 - [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
 
@@ -109,8 +112,13 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
 
 - [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
 
+- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script.
+
 - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
 
+<!-- MAXADO-8138354 -->
+- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition.
+
 - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
 
 - [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 6f75499e14..ec6466cb1b 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -124,16 +124,6 @@
                   href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
                 - name: In-place upgrade
                   href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
-            - name: Subscription Activation
-              items:
-                - name: Windows subscription activation
-                  href: windows-10-subscription-activation.md
-                - name: Windows Enterprise E3 in CSP
-                  href: windows-10-enterprise-e3-overview.md
-                - name: Configure VDA for subscription activation
-                  href: vda-subscription-activation.md
-                - name: Deploy Windows Enterprise licenses
-                  href: deploy-enterprise-licenses.md
         - name: Deploy Windows client updates
           items:
             - name: Assign devices to servicing channels
@@ -184,6 +174,109 @@
               href: update/deployment-service-drivers.md
           - name: Troubleshoot Windows Update for Business deployment service
             href: update/deployment-service-troubleshoot.md
+    - name: Activate
+      items:
+      - name: Windows subscription activation
+        href: windows-10-subscription-activation.md
+      - name: Windows Enterprise E3 in CSP
+        href: windows-10-enterprise-e3-overview.md
+      - name: Configure VDA for subscription activation
+        href: vda-subscription-activation.md
+      - name: Deploy Windows Enterprise licenses
+        href: deploy-enterprise-licenses.md
+      - name: Volume Activation 
+        items:
+        - name: Overview
+          href: volume-activation/volume-activation-windows-10.md
+        - name: Plan for volume activation 
+          href: volume-activation/plan-for-volume-activation-client.md
+        - name: Activate using Key Management Service 
+          href: volume-activation/activate-using-key-management-service-vamt.md
+        - name: Activate using Active Directory-based activation 
+          href: volume-activation/activate-using-active-directory-based-activation-client.md
+        - name: Activate clients running Windows 10
+          href: volume-activation/activate-windows-10-clients-vamt.md
+        - name: Monitor activation 
+          href: volume-activation/monitor-activation-client.md
+        - name: Use the Volume Activation Management Tool 
+          href: volume-activation/use-the-volume-activation-management-tool-client.md
+        href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+      - name: Volume Activation Management Tool (VAMT)
+        items:
+        - name: VAMT technical reference
+          href: volume-activation/volume-activation-management-tool.md
+        - name: Introduction to VAMT
+          href: volume-activation/introduction-vamt.md
+        - name: Active Directory-Based Activation Overview
+          href: volume-activation/active-directory-based-activation-overview.md
+        - name: Install and Configure VAMT
+          items:
+          - name: Overview
+            href: volume-activation/install-configure-vamt.md
+          - name: VAMT Requirements
+            href: volume-activation/vamt-requirements.md
+          - name: Install VAMT
+            href: volume-activation/install-vamt.md
+          - name: Configure Client Computers
+            href: volume-activation/configure-client-computers-vamt.md
+        - name: Add and Manage Products
+          items:
+          - name: Overview
+            href: volume-activation/add-manage-products-vamt.md
+          - name: Add and Remove Computers
+            href: volume-activation/add-remove-computers-vamt.md
+          - name: Update Product Status
+            href: volume-activation/update-product-status-vamt.md
+          - name: Remove Products
+            href: volume-activation/remove-products-vamt.md
+        - name: Manage Product Keys
+          items:
+          - name: Overview
+            href: volume-activation/manage-product-keys-vamt.md
+          - name: Add and Remove a Product Key
+            href: volume-activation/add-remove-product-key-vamt.md
+          - name: Install a Product Key
+            href: volume-activation/install-product-key-vamt.md
+          - name: Install a KMS Client Key
+            href: volume-activation/install-kms-client-key-vamt.md
+        - name: Manage Activations
+          items:
+          - name: Overview
+            href: volume-activation/manage-activations-vamt.md
+          - name: Run Online Activation
+            href: volume-activation/online-activation-vamt.md
+          - name: Run Proxy Activation
+            href: volume-activation/proxy-activation-vamt.md
+          - name: Run KMS Activation
+            href: volume-activation/kms-activation-vamt.md
+          - name: Run Local Reactivation
+            href: volume-activation/local-reactivation-vamt.md
+          - name: Activate an Active Directory Forest Online
+            href: volume-activation/activate-forest-vamt.md
+          - name: Activate by Proxy an Active Directory Forest
+            href: volume-activation/activate-forest-by-proxy-vamt.md
+        - name: Manage VAMT Data
+          items:
+          - name: Overview
+            href: volume-activation/manage-vamt-data.md
+          - name: Import and Export VAMT Data
+            href: volume-activation/import-export-vamt-data.md
+          - name: Use VAMT in Windows PowerShell
+            href: volume-activation/use-vamt-in-windows-powershell.md
+          - name: VAMT Step-by-Step Scenarios
+            items:
+            - name: Overview
+              href: volume-activation/vamt-step-by-step.md
+            - name: "Scenario 1: Online Activation"
+              href: volume-activation/scenario-online-activation-vamt.md
+            - name: "Scenario 2: Proxy Activation"
+              href: volume-activation/scenario-proxy-activation-vamt.md
+            - name: "Scenario 3: KMS Client Activation"
+              href: volume-activation/scenario-kms-activation-vamt.md
+          - name: VAMT Known Issues
+            href: volume-activation/vamt-known-issues.md
+      - name: Information sent to Microsoft during activation
+        href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
     - name: Monitor
       items:
       - name: Windows Update for Business reports
@@ -280,9 +373,9 @@
         - name: How does Windows Update work?
           href: update/how-windows-update-works.md
         - name: Windows client upgrade paths
-          href: upgrade/windows-10-upgrade-paths.md
+          href: upgrade/windows-upgrade-paths.md
         - name: Windows client edition upgrade
-          href: upgrade/windows-10-edition-upgrades.md
+          href: upgrade/windows-edition-upgrades.md
         - name: Deploy Windows 10 with Microsoft 365
           href: deploy-m365.md
         - name: Understand the Unified Update Platform
@@ -311,81 +404,6 @@
                   href: configure-a-pxe-server-to-load-windows-pe.md
                 - name: Windows ADK for Windows 10 scenarios for IT Pros
                   href: windows-adk-scenarios-for-it-pros.md
-                - name: Volume Activation Management Tool (VAMT) technical reference
-                  items:
-                    - name: VAMT technical reference
-                      href: volume-activation/volume-activation-management-tool.md
-                    - name: Introduction to VAMT
-                      href: volume-activation/introduction-vamt.md
-                    - name: Active Directory-Based Activation Overview
-                      href: volume-activation/active-directory-based-activation-overview.md
-                    - name: Install and Configure VAMT
-                      items:
-                      - name: Overview
-                        href: volume-activation/install-configure-vamt.md
-                      - name: VAMT Requirements
-                        href: volume-activation/vamt-requirements.md
-                      - name: Install VAMT
-                        href: volume-activation/install-vamt.md
-                      - name: Configure Client Computers
-                        href: volume-activation/configure-client-computers-vamt.md
-                    - name: Add and Manage Products
-                      items:
-                      - name: Overview
-                        href: volume-activation/add-manage-products-vamt.md
-                      - name: Add and Remove Computers
-                        href: volume-activation/add-remove-computers-vamt.md
-                      - name: Update Product Status
-                        href: volume-activation/update-product-status-vamt.md
-                      - name: Remove Products
-                        href: volume-activation/remove-products-vamt.md
-                    - name: Manage Product Keys
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-product-keys-vamt.md
-                      - name: Add and Remove a Product Key
-                        href: volume-activation/add-remove-product-key-vamt.md
-                      - name: Install a Product Key
-                        href: volume-activation/install-product-key-vamt.md
-                      - name: Install a KMS Client Key
-                        href: volume-activation/install-kms-client-key-vamt.md
-                    - name: Manage Activations
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-activations-vamt.md
-                      - name: Run Online Activation
-                        href: volume-activation/online-activation-vamt.md
-                      - name: Run Proxy Activation
-                        href: volume-activation/proxy-activation-vamt.md
-                      - name: Run KMS Activation
-                        href: volume-activation/kms-activation-vamt.md
-                      - name: Run Local Reactivation
-                        href: volume-activation/local-reactivation-vamt.md
-                      - name: Activate an Active Directory Forest Online
-                        href: volume-activation/activate-forest-vamt.md
-                      - name: Activate by Proxy an Active Directory Forest
-                        href: volume-activation/activate-forest-by-proxy-vamt.md
-                    - name: Manage VAMT Data
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-vamt-data.md
-                      - name: Import and Export VAMT Data
-                        href: volume-activation/import-export-vamt-data.md
-                      - name: Use VAMT in Windows PowerShell
-                        href: volume-activation/use-vamt-in-windows-powershell.md
-                    - name: VAMT Step-by-Step Scenarios
-                      items:
-                      - name: Overview
-                        href: volume-activation/vamt-step-by-step.md
-                      - name: "Scenario 1: Online Activation"
-                        href: volume-activation/scenario-online-activation-vamt.md
-                      - name: "Scenario 2: Proxy Activation"
-                        href: volume-activation/scenario-proxy-activation-vamt.md
-                      - name: "Scenario 3: KMS Client Activation"
-                        href: volume-activation/scenario-kms-activation-vamt.md
-                    - name: VAMT Known Issues
-                      href: volume-activation/vamt-known-issues.md
-        
                 - name: User State Migration Tool (USMT) technical reference
                   items:
                     - name: USMT overview articles
@@ -553,26 +571,7 @@
                     href: planning/testing-your-application-mitigation-packages.md
                   - name: Use the Sdbinst.exe Command-Line Tool
                     href: planning/using-the-sdbinstexe-command-line-tool.md
-                - name: Volume Activation 
-                  items:
-                  - name: Overview
-                    href: volume-activation/volume-activation-windows-10.md
-                  - name: Plan for volume activation 
-                    href: volume-activation/plan-for-volume-activation-client.md
-                  - name: Activate using Key Management Service 
-                    href: volume-activation/activate-using-key-management-service-vamt.md
-                  - name: Activate using Active Directory-based activation 
-                    href: volume-activation/activate-using-active-directory-based-activation-client.md
-                  - name: Activate clients running Windows 10
-                    href: volume-activation/activate-windows-10-clients-vamt.md
-                  - name: Monitor activation 
-                    href: volume-activation/monitor-activation-client.md
-                  - name: Use the Volume Activation Management Tool 
-                    href: volume-activation/use-the-volume-activation-management-tool-client.md
-                - name: "Appendix: Information sent to Microsoft during activation "
-                  href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
-
         - name: Install fonts in Windows client
           href: windows-10-missing-fonts.md
         - name: Customize Windows PE boot images
-          href: customize-boot-image.md
+          href: customize-boot-image.md
\ No newline at end of file
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index 65a30e06f7..211570e4b0 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -1,60 +1,3 @@
-items:
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /troubleshoot/windows-client/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /troubleshoot/windows-client/deployment/
-      topicHref: /windows/deployment/
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /windows/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /windows/whats-new
-      topicHref: /windows/deployment/
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /mem/intune/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /mem/intune/protect/
-      topicHref: /windows/deployment/
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /windows/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /windows/client-management/mdm
-      topicHref: /windows/deployment/     
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /windows/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /windows/deployment/do
-      topicHref: /windows/deployment/
\ No newline at end of file
+- name: Windows
+  tocHref: /windows/
+  topicHref: /windows/index
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
index 1e160b35dd..3b52b209f3 100644
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@@ -56,9 +56,9 @@ This walkthrough describes how to customize a Windows PE boot image including up
 
     For this walk-through, when the Windows ADK is installed, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**.
 
-    One of the tools installed when installing the the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
+    One of the tools installed when installing the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
 
-    The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly.
+    The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed in a different location, then adjust the paths during the walk-through accordingly.
 
 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both.
 
@@ -70,13 +70,13 @@ This walkthrough describes how to customize a Windows PE boot image including up
 >
 > - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT.
 >
-> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
+> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes a 64-bit boot image. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
 
 ## Step 2: Download cumulative update (CU)
 
 1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated.
 
-1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four digit current year, `<month>` is the two digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month.
+1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four-digit current year, `<month>` is the two-digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month.
 
 1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update.
 
@@ -249,7 +249,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
 
 > [!TIP]
 >
-> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
+> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provides basic functionality while in WinPE. In most cases, no drivers need to be added to an out-of-box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
 
 > [!IMPORTANT]
 >
@@ -304,9 +304,9 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
 
     ---
 
-1. After adding an optional component to the boot image, make sure to also add the language specific component for that optional component.
+1. After adding an optional component to the boot image, make sure to also add the language-specific component for that optional component.
 
-    Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed.
+    Not all optional components have the language-specific component. However, for optional components that do have a language-specific component, make sure that the language-specific component is installed.
 
     To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Language>\` directory to see if there's a matching language component for that optional component.
 
@@ -507,7 +507,7 @@ DISM Package Manager: PID=<PID> TID=<TID> Failed while processing command add-pa
 
 ---
 
-The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
+The problem occurs when the WinPE boot image that is being serviced requires the installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
 
 For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU).
 
@@ -515,7 +515,7 @@ The following steps outline how to extract and then install the servicing stack
 
 > [!IMPORTANT]
 >
-> These steps are only necessary if error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
+> These steps are only necessary if the error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
 
 1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`:
 
@@ -627,7 +627,7 @@ For more information, see [Copy-Item](/powershell/module/microsoft.powershell.ma
 
 ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line)
 
-From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files:
+From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files it finds. When applicable, the commands need confirmation to overwrite any existing files:
 
 ```cmd
 copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"
@@ -934,15 +934,15 @@ This process has the following advantages:
 
 1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image.
 
-1. It reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image.
+1. It reduces the size of the boot image which can occur when components are repeatedly added to and removed from the boot image.
 
 Configuration Manager updates the `boot.wim` boot image in two scenarios:
 
-1. When Configuration Manager is upgraded between version or a hotfix roll ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process.
+1. When Configuration Manager is upgraded between versions or a hotfix roll-up (HFRU) is applied, `boot.wim` may be updated as part of the upgrade process.
 
 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**.
 
-In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
+In these scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
 
 ### Which boot image should be updated with the cumulative update?
 
@@ -954,7 +954,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo
 >
 > Never manually update the `boot.<package_id>.wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image,  the `boot.<package_id>.wim` boot image will also face additional issues such as:
 >
-> - Any time any changes are done to the boot image, such as adding drivers, enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost.
+> - Any time any changes are done to the boot image (adding drivers, enabling the command prompt, etc.), any manual changes done to the boot image, including the cumulative update, will be lost.
 >
 > - Manually changing the `boot.<package_id>.wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point.
 
@@ -993,9 +993,9 @@ For a list of all available WinPE optional components including descriptions for
 
 After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps:
 
-1. Open the Microsoft Configuration manager console.
+1. Open the Microsoft Configuration Manager console.
 
-1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
+1. In the Microsoft Configuration Manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
 
 1. In the **Boot Images** pane, select the desired boot image.
 
@@ -1011,11 +1011,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new `
 
     1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button.
 
-This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points.
+This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE-enabled distribution points.
 
 > [!IMPORTANT]
 >
-> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
+> If there are multiple boot images used in the environment for PXE-enabled distribution points, make sure to update all of the PXE-enabled boot images with the same cumulative update. This will ensure that the PXE-enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
 
 ### Updating Configuration Manager boot media
 
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 92d3cab701..8ad4658ea1 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -19,7 +19,7 @@ ms.date: 11/23/2022
 
 # Deploy Windows Enterprise licenses
 
-This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Microsoft Entra ID.
 
 These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
 
@@ -66,24 +66,26 @@ If you need to update contact information and resend the activation email, use t
 ## Preparing for deployment: reviewing requirements
 
 - Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
-- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
+- Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 
 For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article.
 
-### Active Directory synchronization with Azure AD
+<a name='active-directory-synchronization-with-azure-ad'></a>
 
-If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5.
+### Active Directory synchronization with Microsoft Entra ID
 
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Microsoft Entra ID. Microsoft Entra Connect is responsible for synchronization of identities between the on-premises AD DS domain and Microsoft Entra ID. Microsoft Entra Connect is a service that you can install on-premises or in a virtual machine in Azure.
 
 :::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD.":::
 
-Figure 1: On-premises AD DS integrated with Azure AD
+Figure 1: On-premises AD DS integrated with Microsoft Entra ID
 
-For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+For more information about integrating on-premises AD DS domains with Microsoft Entra ID, see the following resources:
 
-- [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity)
-- [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
+- [What is hybrid identity with Microsoft Entra ID?](/azure/active-directory/hybrid/whatis-hybrid-identity)
+- [Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
 
 ## Assigning licenses to users
 
@@ -93,7 +95,7 @@ After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), y
 
 The following methods are available to assign licenses:
 
-- When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+- When you have the required Microsoft Entra subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
 
 - You can sign in to the Microsoft 365 admin center and manually assign licenses:
 
@@ -113,11 +115,15 @@ Now that you've established a subscription and assigned licenses to users, you c
 > [!NOTE]
 > The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.
 
-### Step 1: Join Windows Pro devices to Azure AD
+<a name='step-1-join-windows-pro-devices-to-azure-ad'></a>
 
-You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that's already set up.
+### Step 1: Join Windows Pro devices to Microsoft Entra ID
 
-#### Join a device to Azure AD the first time the device is started
+You can join a Windows Pro device to Microsoft Entra ID during setup, the first time the device starts. You can also join a device that's already set up.
+
+<a name='join-a-device-to-azure-ad-the-first-time-the-device-is-started'></a>
+
+#### Join a device to Microsoft Entra ID the first time the device is started
 
 1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**.
 
@@ -125,21 +131,23 @@ You can join a Windows Pro device to Azure AD during setup, the first time the d
 
     Figure 2: The "Who owns this PC?" page in initial Windows 10 setup.
 
-1. On the **Choose how you'll connect** page, select **Join Azure AD**, and then select **Next**.
+1. On the **Choose how you'll connect** page, select **Join Microsoft Entra ID**, and then select **Next**.
 
     :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup.":::
 
     Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup.
 
-1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
+1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
 
     :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup.":::
 
     Figure 4: The "Let's get you signed in" page in initial Windows 10 setup.
 
-Now the device is Azure AD-joined to the organization's subscription.
+Now the device is Microsoft Entra joined to the organization's subscription.
 
-#### Join a device to Azure AD when the device is already set up with Windows 10 Pro
+<a name='join-a-device-to-azure-ad-when-the-device-is-already-set-up-with-windows-10-pro'></a>
+
+#### Join a device to Microsoft Entra ID when the device is already set up with Windows 10 Pro
 
 > [!IMPORTANT]
 > Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
@@ -150,31 +158,33 @@ Now the device is Azure AD-joined to the organization's subscription.
 
     Figure 5: "Connect to work or school" configuration in Settings.
 
-1. In **Set up a work or school account**, select **Join this device to Azure Active Directory**.
+1. In **Set up a work or school account**, select **Join this device to Microsoft Entra ID**.
 
     :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard.":::
 
     Figure 6: Set up a work or school account.
 
-1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
+1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
 
     :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window.":::
 
     Figure 7: The "Let's get you signed in" window.
 
-Now the device is Azure AD-joined to the organization's subscription.
+Now the device is Microsoft Entra joined to the organization's subscription.
 
 ### Step 2: Pro edition activation
 
 If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.
 
-### Step 3: Sign in using Azure AD account
+<a name='step-3-sign-in-using-azure-ad-account'></a>
 
-Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+### Step 3: Sign in using Microsoft Entra account
 
-:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as an Azure AD user.":::
+Once the device is joined to Microsoft Entra ID, users will sign in with their Microsoft Entra account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
 
-Figure 8: Sign in to Windows 10 with an Azure AD account.
+:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as a Microsoft Entra user.":::
+
+Figure 8: Sign in to Windows 10 with a Microsoft Entra account.
 
 ### Step 4: Verify that Enterprise edition is enabled
 
@@ -246,7 +256,7 @@ It displays both of the previously mentioned error messages.
 
 Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature.
 
-Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
+Devices must also be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 
 Use the following procedures to review whether a particular device meets these requirements.
 
@@ -260,11 +270,13 @@ To determine if the computer has a firmware-embedded activation key, enter the f
 
 If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
 
-#### Determine if a device is Azure AD-joined
+<a name='determine-if-a-device-is-azure-ad-joined'></a>
+
+#### Determine if a device is Microsoft Entra joined
 
 1. Open a command prompt and enter `dsregcmd /status`.
 
-1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Azure AD.
+1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Microsoft Entra ID.
 
 #### Determine the version of Windows
 
@@ -296,4 +308,4 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
 
 Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
 
-Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
+Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index cef1350b94..dd75e9b3fc 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -11,7 +11,7 @@ ms.technology: itpro-deploy
 ms.collection:
   - highpri
   - tier3
-ms.date: 11/28/2022
+ms.date: 10/13/2023
 ---
 
 # Prepare for deployment with MDT
@@ -135,7 +135,8 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
 
 ```powershell
 Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
-"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
+cd "C:\Program Files\Update Services\Tools"
+.\wsusutil.exe postinstall CONTENT_DIR=C:\WSUS
 ```
 
 > [!NOTE]
@@ -264,19 +265,19 @@ See the following example:
 
 ![Logs folder.](../images/mdt-05-fig08.png)
 
-## Use CMTrace to read log files (optional)
+## Use Support Center OneTrace or CMTrace to read log files (optional)
 
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/mem/configmgr/core/support/cmtrace)).
+The log files in MDT Lite Touch are formatted to be read by [Support Center OneTrace](/mem/configmgr/core/support/support-center-onetrace) or [CMTrace](/mem/configmgr/core/support/cmtrace).
 
-You can use Notepad (example below):
+Notepad can be used to read the log files (example below):
 
 ![figure 8.](../images/mdt-05-fig09.png)
 
-Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
+However, Support Center OneTrace or CMTrace makes the logs much easier to read. See the same log file below, opened in CMTrace:
 
 ![figure 9.](../images/mdt-05-fig10.png)
 
-After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
+Both Support Center OneTrace and CMTrace are available as part of Microsoft Configuration Manager.
 
 ## Next steps
 
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index aa74140003..9189e7e85d 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -1,25 +1,24 @@
 ---
 title: Microsoft Connected Cache content and services endpoints
-description: List of fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache.
-ms.date: 03/31/2023
+description: List of fully qualified domain names, ports, and associated content used by Microsoft Connected Cache.
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: reference
-ms.localizationpriority: medium
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
+- ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a>		
+ms.date: 03/31/2023
 ---
 
 # Microsoft Connected Cache content and services endpoints
 
-_Applies to:_
-
-- Windows 11
-- Windows 10
-
 > [!NOTE]
 > All ports are outbound.
 
diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md
index 922909b41d..70feba838a 100644
--- a/windows/deployment/do/delivery-optimization-proxy.md
+++ b/windows/deployment/do/delivery-optimization-proxy.md
@@ -1,25 +1,24 @@
 ---
 title: Using a proxy with Delivery Optimization
-manager: aaroncz
-description: Settings to use with various proxy configurations to allow Delivery Optimization to work
+description: Settings to use with various proxy configurations to allow Delivery Optimization to work in your environment.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 06/02/2023
 ---
 
 # Using a proxy with Delivery Optimization
 
-**Applies to:**
-
-- Windows 11
-- Windows 10
-
 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
 
 Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.  
diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md
index 978410d908..bb0123cd75 100644
--- a/windows/deployment/do/delivery-optimization-test.md
+++ b/windows/deployment/do/delivery-optimization-test.md
@@ -1,16 +1,20 @@
 ---
 title: Testing Delivery Optimization
-description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios.
-ms.date: 11/08/2022
+description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different scenarios.
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: reference
-ms.localizationpriority: medium
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 11/08/2022
 ---
 
 # Testing Delivery Optimization
diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md
index c201a86893..b5082f4ec4 100644
--- a/windows/deployment/do/delivery-optimization-workflow.md
+++ b/windows/deployment/do/delivery-optimization-workflow.md
@@ -1,25 +1,25 @@
 ---
-title: Delivery Optimization client-service communication explained
-manager: aaroncz
+title: Delivery Optimization client-service communication
 description: Details of how Delivery Optimization communicates with the server when content is requested to download.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
+ms.date: 12/31/2017
 ---
 
 # Delivery Optimization client-service communication explained
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+Delivery Optimization is a cloud-managed solution that uses peer-to-peer (P2P) and local caching to deliver software updates and apps to Windows clients across your network. This article describes details of how Delivery Optimization communicates with the server when content is requested to download.
 ## Download request workflow
 
 This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from.
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
index 566e605a7c..353a3d4dee 100644
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -1,24 +1,23 @@
 ---
 title: MCC for Enterprise and Education Overview
-manager: aaroncz
-description: Overview of Microsoft Connected Cache (MCC) for Enterprise and Education.
+description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: carmenf
 author: cmknox
-ms.topic: article
-ms.date: 05/09/2023
-ms.technology: itpro-updates
-ms.collection: tier3
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>	
+ms.date: 05/09/2023
 ---
 
 # Microsoft Connected Cache for Enterprise and Education Overview
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > [!IMPORTANT]
 > - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 > - We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index 1e998c0da5..1192eaf675 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -1,17 +1,21 @@
 ---
-title: Appendix
-manager: aaroncz
-description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Appendix for MCC for Enterprise and Education
+description: This article contains reference information for Microsoft Connected Cache (MCC) for Enterprise and Education.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: how-to
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection:
   - tier3
   - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
+ms.date: 02/06/2023
 ---
 
 # Appendix
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 53d2940cc1..10f5b9cddf 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -1,23 +1,24 @@
 ---
 title: Deploying your cache node
-manager: aaroncz
-description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node
+description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node from the Auzre portal.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
+manager: aaroncz
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>	
+ms.date: 03/10/2023
 ---
 
-# Deploying your cache node
+# Deploy your cache node
 
-**Applies to**
-
-- Windows 10
-- Windows 11
+This article describes how to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node.
 
 ## Steps to deploy MCC
 
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
index dec45fd83c..2fa49f91cc 100644
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -1,24 +1,23 @@
 ---
-title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education
-manager: aaroncz
-description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Requirements for MCC for Enterprise and Education
+description: Overview of prerequisites and recommendations for using Microsoft Connected Cache (MCC) for Enterprise and Education.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
+ms.date: 05/01/2023
 ---
 
 # Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > [!NOTE]
 > We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
 
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index 410155b347..207c2cf5fb 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -1,17 +1,21 @@
 ---
-title: Update or uninstall Microsoft Connected Cache for Enterprise and Education
-manager: aaroncz
-description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Update or uninstall MCC for Enterprise and Education
+description: Details on how to update or uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: how-to
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection:
   - tier3
   - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a> 
+ms.date: 10/12/2022
 ---
 
 # Update or uninstall Microsoft Connected Cache for Enterprise and Education
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index a4d800235c..3a8b22508f 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -1,17 +1,21 @@
 ---
-title: Cache node configuration
+title: Cache node configuration settings
 manager: aaroncz
-description: Configuring a cache node on Azure portal.
+description: List of options that are available while configuring a cache node for your environment from the Azure portal.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
-ms.topic: reference
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection:
   - tier3
   - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
+ms.date: 08/16/2023
 ---
 
 # Cache node configuration
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
index d118693501..90165d9a23 100644
--- a/windows/deployment/do/mcc-isp-create-provision-deploy.md
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -1,24 +1,23 @@
 ---
-title: Create, provision, and deploy the cache node in Azure portal
-manager: aaroncz
+title: Create, provision, and deploy the cache node
 description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
 ms.prod: windows-client
+ms.technology: itpro-updates
+manager: aaroncz
 author: nidos
 ms.author: nidos
-ms.topic: article
-ms.date: 05/09/2023
-ms.technology: itpro-updates
-ms.collection: tier3
 ms.reviewer: mstewart
+ms.topic: conceptual
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a> 	
+ms.date: 05/09/2023
 ---
 
 # Create, configure, provision, and deploy the cache node in Azure portal
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node requires downloading an installer script that will be run on your cache server.
 
 > [!IMPORTANT]
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index f04f2e3dc9..4d845ee97e 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -2,6 +2,9 @@
 metadata:
   title: Microsoft Connected Cache Frequently Asked Questions
   description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
+  ms.prod: windows-client
+  ms.technology: itpro-updates
+  ms.topic: faq
   ms.author: carmenf
   author: cmknox
   ms.reviewer: mstewart
@@ -9,14 +12,13 @@ metadata:
   ms.collection:
     - highpri
     - tier3
-  ms.topic: faq
-  ms.date: 09/30/2022
-  ms.prod: windows-client
-  ms.technology: itpro-updates
+  appliesto: 
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+  ms.date: 04/27/2023
 title: Microsoft Connected Cache Frequently Asked Questions
 summary: |
-  **Applies to**
-  -   Windows 10 and later
+  Frequently asked questions about Microsoft Connected Cache
   
 sections:
   - name: Ignored
diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md
index 9c0aa7fd80..f299c32448 100644
--- a/windows/deployment/do/mcc-isp-overview.md
+++ b/windows/deployment/do/mcc-isp-overview.md
@@ -1,23 +1,22 @@
 ---
 title: MCC for ISPs Overview
-manager: aaroncz
-description: Overview for Microsoft Connected Cache for ISPs
+description: Overview of Microsoft Connected Cache for ISPs. Learn about how MCC works, supported scenarios, and supported content.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
+manager: aaroncz
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 07/27/2023
-ms.technology: itpro-updates
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 07/27/2023
 ---
 
-# Microsoft Connected Cache for ISPs Overview
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Microsoft Connected Cache for ISPs overview
 
 Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
 
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index 087a11d27f..c125b1e4e9 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -1,24 +1,23 @@
 ---
 title: Operator sign up and service onboarding
-manager: aaroncz
-description: Service onboarding for Microsoft Connected Cache for ISP
+description: Instructions on how to go through the service onboarding process for Microsoft Connected Cache for ISPs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+manager: aaroncz
 author: nidos
 ms.author: nidos
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
 ms.reviewer: mstewart
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 07/07/2023
 ---
 
 # Operator sign up and service onboarding for Microsoft Connected Cache
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). 
 
  > [!NOTE]
@@ -73,7 +72,7 @@ Before you begin sign up, ensure you have the following components:
     :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
 
     > [!NOTE]
-    > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
+    > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
 
 1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
 
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index dba3bbfc15..2916abf2ef 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -1,24 +1,23 @@
 ---
 title: Support and troubleshooting
-manager: aaroncz
-description: Troubleshooting issues for Microsoft Connected Cache for ISP
+description: Troubleshooting information for commonly encountered issues for onboarding or using Microsoft Connected Cache for ISPs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: nidos
 ms.author: nidos
-ms.topic: reference
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 12/31/2017
 ---
 
 # Support and troubleshooting
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs.
 
 ## Common issues
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index 5a3dcbd4fb..bd9f199feb 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -1,17 +1,21 @@
 ---
 title: Update or uninstall your cache node
-manager: aaroncz
-description: How to update or uninstall your cache node
+description: This article contains information on how to update or uninstall your cache node for Microsoft Connected Cache for ISPs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: how-to
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection:
   - tier3
   - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 10/10/2022
 ---
 
 # Update or uninstall your cache node
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
index 9dc6e22466..eb3063a44f 100644
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -1,15 +1,18 @@
 ---
-title: Verify cache node functionality and monitor health and performance
-manager: aaroncz
-description: How to verify the functionality of a cache node
+title: Verify cache node functionality and monitor health
+titleSuffix: Microsoft Connected Cache for ISPs
+description: How to verify the functionality of a cache node, monitor health and performance, and review metrics.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/mcc-isp target=_blank>Microsoft Connected Cache for ISPs</a>
+ms.date: 02/09/2023
 ---
 
 # Verify cache node functionality and monitor health and performance
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index 7d3b9de1cc..18b1bb8b73 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -1,15 +1,18 @@
 ---
 title: Enhancing cache performance
-manager: aaroncz
-description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
+titleSuffix: Microsoft Connected Cache for ISPs
+description: This article explains how to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: reference
-ms.technology: itpro-updates
-ms.date: 12/31/2017
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/mcc-isp target=_blank>Microsoft Connected Cache for ISPs</a>
+ms.date: 12/31/2017
 ---
 
 # Enhancing cache performance
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index 097b922aa9..a8cdcfc4e1 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -1,30 +1,29 @@
 ---
-title: Microsoft Connected Cache for Internet Service Providers (ISPs)
-description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
+title: Microsoft Connected Cache for ISPs
+description: This article contains details about the early preview for Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
 ms.prod: windows-client
 ms.technology: itpro-updates
-ms.localizationpriority: medium
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
 manager: aaroncz
-ms.topic: how-to
-ms.date: 05/20/2022
+ms.localizationpriority: medium
 ms.collection: tier3
+ms.date: 03/07/2023
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ Microsoft Connected Cache for ISPs (early preview)
 ---
 
 # Microsoft Connected Cache for Internet Service Providers (early preview)
 
-*Applies to*
-
-- Windows 10
-- Windows 11
-
-## Overview
-
 > [!IMPORTANT]
 > This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below.
 
+## Overview
+
 Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
 
 Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure.
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index d306d123f9..92ff9cd2d4 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -2,21 +2,24 @@
 metadata:
   title: Delivery Optimization Frequently Asked Questions
   description: List of frequently asked questions for Delivery Optimization.
-  ms.reviewer: mstewart
   ms.prod: windows-client
+  ms.technology: itpro-updates
+  ms.topic: faq
   author: cmknox
   ms.author: carmenf
   manager: aaroncz
-  ms.technology: itpro-updates
+  ms.reviewer: mstewart
   ms.collection:
     - highpri
     - tier3
-  ms.topic: faq
+  appliesto: 
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+    - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
   ms.date: 07/31/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
-  **Applies to**
-  -   Windows 10 and later
+  Frequently Asked Questions for Delivery Optimization
   
 
 sections:
@@ -48,7 +51,6 @@ sections:
 
           **For the payloads (optional)**:
 
-          - `*.download.windowsupdate.com`
           - `*.windowsupdate.com`
 
           **For group peers across multiple NATs (Teredo)**:
diff --git a/windows/deployment/do/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md
index 2a44035bf3..512f9d41b7 100644
--- a/windows/deployment/do/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/waas-delivery-optimization-monitor.md
@@ -1,17 +1,21 @@
 ---
-manager: aaroncz
 title: Monitor Delivery Optimization
-description: How to monitor Delivery Optimization
-ms.collection:
-  - tier3
+description: How to monitor Delivery Optimization using either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: reference
-ms.date: 08/13/2023
-ms.localizationpriority: medium
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection:
+  - tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 08/13/2023
 ---
 
 # Monitor Delivery Optimization
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 2735892b16..2c3a28d13e 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -1,26 +1,25 @@
 ---
 title: Delivery Optimization reference
-manager: aaroncz
 description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: reference
 ms.technology: itpro-updates
-ms.date: 07/31/2023
-ms.collection: tier3
+ms.topic: reference
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 07/31/2023
 ---
 
 # Delivery Optimization reference
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
+> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the main spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
 There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This article summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
 
@@ -35,9 +34,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 
 | Group Policy setting | MDM setting | Supported from version | Notes |
 | --- | --- | --- | ------- |
-| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.|
-| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order.  |
-| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. |
+| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that share content between devices in the group.|
+| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order.  |
+| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. |
 | [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to set via this policy. |
 | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
 | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
@@ -49,6 +48,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. |
 | [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. |
 | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. |
+| [VPN Keywords](#vpn-keywords) | DOVpnKeywords | 22H2 September Moment | Allows you to set one or more keywords used to recognize VPN connections. |
+| [Disallow Cache Server Downloads from VPN](#disallow-cache-server-downloads-on-vpn) | DODisallowCacheServerDownloadsOnVPN | 22H2 September Moment | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. |
 | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery.  |
 | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
@@ -134,7 +135,7 @@ Download mode dictates which download sources clients are allowed to use when do
 | Bypass (100) | Starting in Windows 11, this option is deprecated. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. If you want to disable peer-to-peer functionality, set DownloadMode to (0). If your device doesn't have internet access, set Download Mode to (99). When you set Bypass (100), the download bypasses Delivery Optimization and uses BITS instead. You don't need to set this option if you're using Configuration Manager. |
 
 > [!NOTE]
-> When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
+> When you use Microsoft Entra tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
 
 ### Group ID
 
@@ -158,9 +159,9 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 - 2 = Authenticated domain SID
 - 3 = DHCP Option ID (with this option, the client queries DHCP Option ID 234 and use the returned GUID value as the Group ID)
 - 4 = DNS Suffix
-- 5 = Starting with Windows 10, version 1903, you can use the Azure AD Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+- 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
@@ -175,19 +176,19 @@ MDM Setting: **DOMinDiskSizeAllowedToPeer**
 This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**.
 
 >[!NOTE]
->If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
+>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check applies to the new working directory specified by this policy.
 
 ### Max Cache Age
 
 MDM Setting: **DOMaxCacheAge**
 
-In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
+In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and cleans up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
 
 ### Max Cache Size
 
 MDM Setting: **DOMaxCacheSize**
 
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization constantly assesses the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
 
 ### Absolute Max Cache Size
 
@@ -206,7 +207,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C
 MDM Setting: **DOMaxUploadBandwidth**
 
 Deprecated in Windows 10, version 2004.
-This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used.
 
 
 ### Maximum Foreground Download Bandwidth
@@ -256,7 +257,7 @@ MDM Setting: **DORestrictPeerSelectionBy**
 
 Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets.
 
-If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
+If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID).
 
 The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
 
@@ -302,12 +303,24 @@ MDM Setting: **DOMonthlyUploadDataCap**
 
 This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.**
 
-### Enable Peer Caching while the device connects via VPN
+### Enable peer caching while the device connects via VPN
 
 MDM Setting: **DOAllowVPNPeerCaching**
 
 This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed, except when the 'Local Discovery' (DNS-SD) option is chosen.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
 
+### VPN Keywords
+
+MDM Setting: **DOVpnKeywords**
+
+This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: “VPN”, “Secure”, and “Virtual Private Network” (ex: “MSFTVPN” matches the “VPN” keyword). As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names to meet the needs of individual environments.
+
+### Disallow cache server downloads on VPN
+
+MDM Setting: **DODisallowCacheServerDownloadsOnVPN**
+
+This policy disallows downloads from Connected Cache servers when the device connects via VPN. **By default, the device is allowed to download from Connected Cache when connected via VPN.** Set this policy if you prefer devices to download directly from the Internet when connected remotely (via VPN) instead of pulling from a Microsoft Connected Cache server deployed on your corporate network.
+
 ### Allow uploads while the device is on battery while under set Battery level
 
 MDM Setting: **DOMinBatteryPercentageAllowedToUpload**
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 61df7a10d6..40c469034e 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -1,25 +1,24 @@
 ---
 title: Set up Delivery Optimization
-description: In this article, learn how to set up Delivery Optimization.
+description: In this article, learn how to set up Delivery Optimization for use by Windows clients in your organization.
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.localizationpriority: medium
-ms.topic: how-to
-ms.date: 12/19/2022
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 08/15/2023
 ---
 
 # Set up Delivery Optimization for Windows
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 ## Set up Delivery Optimization
@@ -30,7 +29,7 @@ You find the Delivery Optimization settings in Group Policy under **Computer Con
 
 Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows).
 
-**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
+**Starting with Windows 10, version 1903**, you can use the Microsoft Entra tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
 
 ## Allow service endpoints
 
@@ -67,7 +66,7 @@ Quick-reference table:
 
 ### Hybrid WAN scenario
 
-For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
+For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
 
 In Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
 
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 14d8a8a7d9..010894a61d 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -3,25 +3,23 @@ title: What is Delivery Optimization?
 description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
 ms.prod: windows-client
 ms.technology: itpro-updates
-ms.localizationpriority: medium
+ms.topic: overview
 author: cmknox
 ms.author: carmenf
 manager: aaroncz
+ms.reviewer: mstewart
 ms.collection:
   - tier3
   - highpri
-ms.topic: overview
-ms.date: 12/31/2017
-ms.reviewer: mstewart
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 06/02/2023
 ---
 
 # What is Delivery Optimization?
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
 Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
@@ -64,6 +62,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: |  | :heavy_check_mark: |
 | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: |  |  |
 | MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
+| Teams (via MSIX Installer) | Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
 
 #### Windows Server
 
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index 398ef9a635..e3c42165c0 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -1,25 +1,23 @@
 ---
 title: Microsoft Connected Cache overview
-manager: aaroncz
 description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 05/09/2023
-ms.collection: tier3
+ms.topic: overview
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 06/02/2023
 ---
 
 # What is Microsoft Connected Cache?
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > [!IMPORTANT]
 > Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md
index e8fa21b8c3..7f07d6a15f 100644
--- a/windows/deployment/do/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/do/waas-optimize-windows-10-updates.md
@@ -1,25 +1,23 @@
 ---
 title: Optimize Windows update delivery
-description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache.
+description: Learn about the two methods of peer-to-peer content distribution that are available, Delivery Optimization and BranchCache.
 ms.prod: windows-client
-ms.localizationpriority: medium
+ms.topic: conceptual
+ms.technology: itpro-updates
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 02/14/2023
 ---
 
 # Optimize Windows update delivery
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows client offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows client.
@@ -41,8 +39,8 @@ Two methods of peer-to-peer content distribution are available.
 
 | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
 | --- | --- | --- | --- | --- |
-| Delivery Optimization | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
-| BranchCache | ![no.](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
+| Delivery Optimization | Yes | Yes | Yes | Yes |
+| BranchCache | No | No |Yes | Yes |
 
 > [!NOTE]
 > Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
@@ -92,9 +90,9 @@ At this point, the download is complete and the update is ready to be installed.
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](../update/waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this article) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ✅| [Learn about updates and servicing channels](../update/waas-overview.md) |
+| ✅ | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
+| ✅ | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
+| ✅| [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
+| ✅ | Optimize update delivery for Windows 10 updates (this article) |
+|  | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 6236a48963..7c18691ae6 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -1,25 +1,24 @@
 ---
 title: What's new in Delivery Optimization
-manager: aaroncz
 description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 06/02/2023
 ---
 
 # What's new in Delivery Optimization
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+This article contains information about what's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
 ## Microsoft Connected Cache (early preview)
 
 Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
@@ -33,10 +32,12 @@ There are two different versions:
 
 ## New in Delivery Optimization for Windows
 
-- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2.
+### Windows 11 22H2
 
-- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)."
-- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
+- New setting: Customize vpn detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your Vpn. By using the new VpnKeywords configuration you can add keywords for Delivery Optimization to use when detecting a Vpn when in use. You can find this configuration **[VPN Keywords](waas-delivery-optimization-reference.md#vpn-keywords)** in Group Policy or MDM under **DOVpnKeywords**.
+- New setting: Use the disallow downloads from a connected cache server, when a Vpn is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from MCC over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn) in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**.
+- Delivery Optimization introduced support for receiver side ledbat (rLedbat).
+- New setting: Local Peer Discovery, a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** in Group Policy or MDM **DORestrictPeerSelectionBy**. This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2).
 
 > [!NOTE]
 > The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index d718ec36aa..c9f6a5f653 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -58,7 +58,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/deployment/images/volumeactivationforwindows81-04.jpg b/windows/deployment/images/volumeactivationforwindows81-04.jpg
deleted file mode 100644
index d5b572f1aa..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-04.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-05.jpg b/windows/deployment/images/volumeactivationforwindows81-05.jpg
deleted file mode 100644
index a4bd9776ac..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-05.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-06.jpg b/windows/deployment/images/volumeactivationforwindows81-06.jpg
deleted file mode 100644
index c29a628b05..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-06.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-07.jpg b/windows/deployment/images/volumeactivationforwindows81-07.jpg
deleted file mode 100644
index 346cbaa5c1..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-07.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-08.jpg b/windows/deployment/images/volumeactivationforwindows81-08.jpg
deleted file mode 100644
index eff421d6bb..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-08.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-09.jpg b/windows/deployment/images/volumeactivationforwindows81-09.jpg
deleted file mode 100644
index 1e3cf9c0d8..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-09.jpg and /dev/null differ
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 2a900b672d..b3911601ff 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -23,7 +23,7 @@ For many years, organizations have deployed new versions of Windows using a "wip
 
 Windows 10 also introduces two additional scenarios that organizations should consider:
 
--   **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
+-   **In-place upgrade**, which provides a simple, automated process that uses the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
 
 -   **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
 
@@ -33,8 +33,8 @@ Windows 10 also introduces two additional scenarios that organizations should co
 
 | Consider ... | For these scenarios  |
 |---|---|
-| In-place upgrade  | - When you want to keep all (or at least most) existing applications<br/>- When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)<br/>- To migrate from Windows 10 to a later Windows 10 release |
-| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS<br/>- When you make significant device or operating system configuration changes<br/>- When you "start clean". For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs<br/>- When you migrate from Windows Vista or other previous operating system versions |
+| In-place upgrade  | - When you want to keep all (or at least most) existing applications<br/>- When you don't plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)<br/>- To migrate from Windows 10 to a later Windows 10 release |
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS<br/>- When you make significant device or operating system configuration changes<br/>- When you "start clean". For example, scenarios where it isn't necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs<br/>- When you migrate from Windows Vista or other previous operating system versions |
 | Dynamic provisioning | - For new devices, especially in "choose your own device" scenarios when simple configuration (not reimaging) is all that is required. <br/>- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
 
 ## Migration from previous Windows versions
@@ -45,19 +45,19 @@ The original Windows 8 release was only supported until January 2016. For device
 
 For PCs running operating systems older than Windows 7, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
 
-For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
+For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be used (with in-place upgrade being the preferred method, as previously discussed).
 
-For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
+For organizations that didn't take advantage of the free upgrade offer and aren't enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
 
 ## Setting up new computers
 
-For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
+For new computers acquired with Windows 10 preinstalled, you can use dynamic provisioning scenarios to transform the device from its initial state into a fully configured organization PC. There are two primary dynamic provisioning scenarios you can use:
 
--   **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+-   **User-driven, from the cloud.** By joining a device into Microsoft Entra ID and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Microsoft Entra account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully configured organization PC. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
--   **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+-   **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
 
-In either of these scenarios, you can make a variety of configuration changes to the PC:
+In either of these scenarios, you can make various configuration changes to the PC:
 
 -   Transform the edition (SKU) of Windows 10 that is in use.
 -   Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
@@ -66,18 +66,18 @@ In either of these scenarios, you can make a variety of configuration changes to
 
 ## Stay up to date
 
-For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using various methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
--   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). 
+-   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they're approved (deploying like an update). 
 -   Configuration Manager task sequences.
 -   Configuration Manager software update capabilities (deploying like an update).
 
-These upgrades (which are installed differently than monthly updates) leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
+These upgrades (which are installed differently than monthly updates) use an in-place upgrade process. Unlike updates, which are relatively small, these upgrades include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
 
 The upgrade process is also optimized to reduce the overall time and network bandwidth consumed.
 
-## Related topics
+## Related articles
 
 [Windows 10 compatibility](windows-10-compatibility.md)<br>
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index d20d9c067f..f49339b0fd 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -37,7 +37,7 @@ Save your files to your favorite cloud, like OneDrive or Dropbox, and access the
 
 Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.
 
-Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
+Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Microsoft Entra tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
 
 For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.
 
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 39d270bf63..4373f59f58 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -187,7 +187,7 @@ content-type: application/json
 Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information:
 
 - An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry)
-- The **Azure AD ID** of the devices it's applicable to
+- The **Microsoft Entra ID** of the devices it's applicable to
 - Information describing the update such as the name and version.
 
 To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the  **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`:  
@@ -197,7 +197,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d
 ```
 
 The following truncated response displays:
-  - An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef`
+  - An **Microsoft Entra ID** of `01234567-89ab-cdef-0123-456789abcdef`
   - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`  
 
       ```json
@@ -337,4 +337,4 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=c
 ## Policy considerations for drivers
 
 <!--Using include for Policy considerations for drivers-->
-[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
\ No newline at end of file
+[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md
index a7e5e6a58f..9279a5e9d4 100644
--- a/windows/deployment/update/deployment-service-expedited-updates.md
+++ b/windows/deployment/update/deployment-service-expedited-updates.md
@@ -256,7 +256,7 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
 
 The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited.
 
-The following example adds two devices to the deployment audience using the **Azure AD ID** for each device:
+The following example adds two devices to the deployment audience using the **Microsoft Entra ID** for each device:
 
 ```msgraph-interactive
 POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
@@ -295,4 +295,4 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e
 
 
 <!--Using include for Update Health Tools log location-->
-[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
\ No newline at end of file
+[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md
index f9ba6dd147..070ecd8914 100644
--- a/windows/deployment/update/deployment-service-feature-updates.md
+++ b/windows/deployment/update/deployment-service-feature-updates.md
@@ -61,7 +61,7 @@ When you enroll devices into feature update management, the deployment service b
 As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version.
 
 > [!TIP]
-> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
+> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Microsoft Entra ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
 
 <!--Using include for enrolling devices using Graph Explorer-->
 [!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)]
@@ -230,7 +230,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-
 
 The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered. 
 
-The following example adds three devices to the deployment audience using the **Azure AD ID** for each device:
+The following example adds three devices to the deployment audience using the **Microsoft Entra ID** for each device:
 
    ```msgraph-interactive
    POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index de71ad0223..d4dbc2e5e1 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -21,12 +21,14 @@ ms.date: 02/14/2023
 <!--7512398-->
 Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
 
-## Azure and Azure Active Directory
+<a name='azure-and-azure-active-directory'></a>
 
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- Devices must be Azure Active Directory-joined and meet the below OSrequirements.
-  - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-  - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
+## Azure and Microsoft Entra ID
+
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/)
+- Devices must be Microsoft Entra joined and meet the below OSrequirements.
+  - Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+  - Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
 
 ## Licensing
 
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 2d4052bbba..65a6b7777a 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -27,13 +27,13 @@ This troubleshooting guide addresses the most common issues that IT administrato
 - **Feature updates only**: The device might have a safeguard hold applied for the given feature update version. For more about safeguard holds, see [Safeguard holds](safeguard-holds.md) and [Opt out of safeguard holds](safeguard-opt-out.md).
 - Check that the deployment to which the device is assigned has the state *offering*. Deployments that have the states *paused* or *scheduled* won't deploy content to devices.
 - Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
-- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
 -  **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`.
 
 ## The device is receiving an update that I didn't deploy
 
 - Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
-- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
 
 ### The device installed a newer update then the expedited update I deployed
 
diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
index fda5f5a881..24da4ab44e 100644
--- a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
@@ -32,7 +32,7 @@ A deployment audience is a collection of devices that you want to deploy updates
    ```
 
 
-1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device.
+1. Add devices, using their **Microsoft Entra ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Microsoft Entra ID** of the device.
 
    ```msgraph-interactive
    POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience 
diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
index 0ae067e62f..ed62f731f1 100644
--- a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
@@ -17,7 +17,7 @@ You enroll devices based on the types of updates you want them to receive. Curre
    1. Enter the following request into the URL field: </br>
     `https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets`
    1. In the **Request body** tab, enter the following JSON, supplying the following information:
-      - **Azure AD Device ID** as `id`
+      - **Microsoft Entra Device ID** as `id`
       - Either `feature` or `driver` for the updateCategory
 
       ```json
diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
index b2f438598f..336236ee43 100644
--- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
@@ -27,7 +27,7 @@ Use the [device](/graph/api/resources/device) resource type to find clients to e
 
 ### Add a request header for advanced queries
 
-For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries).
+For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Microsoft Entra directory objects](/graph/aad-advanced-queries).
 
 1. In Graph Explorer, select the **Request headers** tab.
 1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`.
@@ -49,6 +49,6 @@ For the next requests, set the **ConsistencyLevel** header to `eventual`. For mo
 
 > [!Tip]
 > Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`:
-> - The `deviceid` is the **Azure AD Device ID** and will be used in this article.
+> - The `deviceid` is the **Microsoft Entra Device ID** and will be used in this article.
 >    - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience.
-> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article.
+> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Microsoft Entra Object ID, which won't be used in this article.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index 3b19cd934d..8d869d1f69 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -17,7 +17,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G
 > - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium).
 > - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand  [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding.
 
-1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account.
+1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using a Microsoft Entra user account.
 1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission:
     1. Select the **Modify permissions** tab in Graph Explorer.
     1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
index f85f158a63..682134eb32 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
@@ -10,14 +10,14 @@ ms.localizationpriority: medium
 ---
 <!--This file is shared by deployment-service-drivers.md and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
 
-When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
+When a device no longer requires management, unenroll it from the deployment service. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
 
 - Existing driver deployments from the service won't be offered to the device
-- The device will continue to receive feature updates from the deployment service
+- The device continues to receive feature updates from the deployment service
 - Drivers may start being installed from Windows Update depending on the device's configuration
 
 To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify:
-- **Azure AD Device ID** as `id` for the device
+- **Microsoft Entra Device ID** as `id` for the device
 - Either `feature` or `driver` for the updateCategory
 
 The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`:
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 342b6d4210..da738e8991 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -11,17 +11,17 @@ ms.localizationpriority: medium
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
 Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
 
-- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
+- [Microsoft Entra ID](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
 - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
-- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in
 
 **Roles that can enroll into Windows Update for Business reports**
 
 To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
-- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
-- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Microsoft Entra role
+- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Microsoft Entra role
+- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Microsoft Entra role
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
   - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
 
@@ -43,4 +43,4 @@ Examples of commonly assigned roles for Windows Update for Business reports user
 | [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |  
 
 > [!NOTE]
-> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
+> The Microsoft Entra roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
index a6ca5fedc8..479b5a9eff 100644
--- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@@ -44,6 +44,6 @@ ms.localizationpriority: medium
 | 66    | Failed to verify UTC connectivity and recent uploads.|  
 | 67    | Unexpected failure when verifying UTC CSP.|
 | 99    | Device isn't Windows 10 or Windows 11.|
-| 100   | Device must be Azure AD joined or hybrid Azure AD joined to use Windows Update for Business reports.|
-| 101   | Check Azure AD join failed with unexpected exception.|
+| 100   | Device must be Microsoft Entra joined or Microsoft Entra hybrid joined to use Windows Update for Business reports.|
+| 101   | Check Microsoft Entra join failed with unexpected exception.|
 | 102   | DisableOneSettingsDownloads policy shouldn't be enabled. Please disable this policy.|
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 007852b8af..18b0aa011f 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 12/31/2017
+ms.date: 10/10/2023
 ---
 
 # Manage device restarts after updates
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 3fd3990153..894cb7361b 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -44,8 +44,8 @@ The General Availability Channel is the default servicing channel for all Window
 
 To get started with the Windows Insider Program for Business, follow these steps:
 
-1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
-2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.
+1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Microsoft Entra account.
+2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Microsoft Entra domain in order to be able to register.
 3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
 4. For Windows devices, set policies to manage preview builds and their delivery:
 
@@ -70,4 +70,3 @@ To prevent devices in your organization from being enrolled in the Insider Progr
 >Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
 > * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
 > * MDM: **Update/ManagePreviewBuilds**
-
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 5ffafc24a9..b370409adb 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -35,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
 | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
 | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-| |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
+| |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Microsoft Entra joined or registered <!--6286260-->|
 | | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update <!--7679187-->|
 
 
@@ -257,12 +257,12 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 
 ## Display organization name in Windows Update notifications
 <!--6286260-->
-When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
+When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
   
-The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) 
-- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
-- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+The organization name appears automatically for Windows 11 clients that are associated with Microsoft Entra ID in any of the following ways:
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) 
+- [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register)
+- [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
 
 To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
 
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 3d79d66cd5..e65bab8900 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 02/28/2023
+ms.date: 10/10/2023
 ---
 
 # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -39,7 +39,7 @@ You can control when updates are applied, for example by deferring when an updat
 
 Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
 
-To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
 
 Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
 
@@ -136,7 +136,8 @@ We recommend that you use set specific deadlines for feature and quality updates
 
 - [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
 - [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) 
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
 - [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
 
 These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 7c431a1818..372a36d6df 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.date: 08/22/2023
+ms.date: 10/10/2023
 ---
 
 # Walkthrough: Use Group Policy to configure Windows Update for Business
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index e29c2d0a8e..714ea509f5 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -12,36 +12,60 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 05/12/2023
+ms.date: 10/10/2023
 ---
 # Enforcing compliance deadlines for updates
 
 Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
 
-With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as separate settings:
 
-- Update/ConfigureDeadlineForFeatureUpdates
-- Update/ConfigureDeadlineForQualityUpdates
-- Update/ConfigureDeadlineGracePeriod
-- Update/ConfigureDeadlineNoAutoReboot
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
+- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates) (Windows 11, version 22H2 or later)
+- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
 
-## Policy setting overview
+
+## Policy setting overview for clients running Windows 11, version 22H2 and later
+
+|Policy| Description |
+|-|-|
+| Specify deadlines for automatic updates and restarts | This policy lets you specify the number of days before quality and feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
+
+### Suggested configurations for clients running Windows 11, version 22H2 and later
+
+| Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
+|-|-|-|-|-|-|
+| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
+
+When **Specify deadlines for automatic updates and restarts** is set:
+
+The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.
+
+The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.
+
+> [!NOTE]
+> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+
+## Policy setting overview for clients running Windows 11, version 21H2 and earlier
 
 |Policy|Description |
 |-|-|
 | (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
 
-## Suggested configurations
+### Suggested configurations for clients running Windows 11, version 21H2 and earlier
 
 |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
 |-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts    | 2 | 2 | 5 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts  | 2 | 7 | 2 |
 
 When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
 
-For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
+For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device tries to update outside of active hours. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
 
-For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
+For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device tries to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in the background). When the pending restart time is reached, the device notifies the user and tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours.
 
 > [!NOTE]
-> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+> - When using the newer policy that contains **Feature updates grace period in days**, this setting is ignored by clients that are running Windows 11 version 21H2 and earlier. The grace period for quality updates is used for both quality updates and feature updates for these clients.
+> - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index 05cfa795ab..d71d76d0be 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -95,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below
 
 ## Mapping GroupID
 
-In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
+In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash and is case sensitive. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
 
 ```powershell
 $text = "<myOriginalGroupID>`0" ; # The `0 null terminator is required
diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml
index 60f9460966..fe8f250ece 100644
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@@ -55,7 +55,7 @@ sections:
     questions:
       - question: What is Windows Update for Business reports?
         answer: |
-          Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.  
+          Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.  
       - question: Is Windows Update for Business reports free?
         answer: |
           Data ingested into your Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if [Microsoft Sentinel](/azure/sentinel/overview) is enabled on the workspace). Data ingested into [Application Insights](/azure/azure-monitor/app/app-insights-overview), either classic or workspace-based, is retained for 90 days without any charge.
@@ -180,4 +180,4 @@ sections:
             [Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization events.
       - question: The report represents the last 28 days of data, why do some queries include >= seven days?
         answer: |
-            The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.
\ No newline at end of file
+            The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
index a4321c74d6..a38066595f 100644
--- a/windows/deployment/update/wufb-reports-overview.md
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -16,7 +16,7 @@ ms.date: 11/15/2022
 
 # Windows Update for Business reports overview
 <!--37063317, 30141258, 37063041-->
-Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
+Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
 
 - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
 - Report on devices with update compliance issues
@@ -56,7 +56,7 @@ Windows Update for Business reports is a Windows service hosted in Azure that us
 
 ## How Windows Update for Business reports works
 
-You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Azure AD-joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
+You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Microsoft Entra joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
 
 - Update deployment progress
 - Delivery Optimization usage data
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index b418f74af8..3b3527ba45 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -18,12 +18,14 @@ ms.date: 08/30/2023
 <!--37063317, 30141258, 37063041-->
 Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
 
-## Azure and Azure Active Directory
+<a name='azure-and-azure-active-directory'></a>
 
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
-  - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-- Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
+## Azure and Microsoft Entra ID
+
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/)
+- Devices must be Microsoft Entra joined and meet the below OS, diagnostic, and endpoint access requirements.
+  - Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+- Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
 - The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
 - Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
 
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index 6cf7e6e2a8..9966c6a6ad 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -22,8 +22,8 @@ UCClient acts as an individual device's record. It contains data such as the cur
 
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
 | **Country** |  [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
 | **DeviceFamily** |  [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. |
 | **DeviceName** |  [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index 2e6bcaa89c..a497b36832 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -26,8 +26,8 @@ UCClientReadinessStatus is an individual device's record about its readiness for
 | **DeviceName** |  [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
 | **GlobalDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier. |
 | **SCCMClientId** |  [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
 | **OSName** |  [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10` | The operating system name. |
 | **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Win10 OS Version (such as 19H2, 20H1, 20H2) currently installed on the device. |
 | **OSBuild** |  [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision  |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 1373eed6d6..760d757558 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -23,8 +23,8 @@ Update Event that combines the latest client-based data with the latest service-
 
 | Field | Type | Example | Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Microsoft Entra tenant to which the device belongs. |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Microsoft Entra device ID |
 |**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | 
 | **ClientState** |  [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. |
 | **ClientSubstate** |  [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
@@ -55,4 +55,4 @@ Update Event that combines the latest client-based data with the latest service-
 | **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
 | **UpdateReleaseTime** |  [datetime](/azure/kusto/query/scalar-data-types/datetime)  | `2020-05-14 09:26:03.478039` | The release date of the update |
 | **UpdateSource** |  [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |
- 
\ No newline at end of file
+ 
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index 435324d2db..a449781e51 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -28,8 +28,8 @@ These alerts are activated as a result of an issue that is device-specific. It i
 | **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
 | **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert. |
 | **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present. |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
+| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
 | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
 | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
 | **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index a7012d9409..d6b10a0364 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -24,8 +24,8 @@ UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records acro
 
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
 | **BWOptPercent28Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
 | **BytesFromCache** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
 | **BytesFromCDN** |  [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index a76acc8512..c9f8f9a935 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -22,8 +22,8 @@ UCDOStatus provides information, for a single device, on its bandwidth utilizati
 
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
 | **BWOptPercent28Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
 | **BWOptPercent7Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
 | **BytesFromCache** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 52989b6baf..004f2def5e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -23,7 +23,7 @@ Update Event that comes directly from the service-side. The event has only servi
 | Field | Type | Example | Description |
 |---|---|---|---|
 | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Microsoft Entra tenant to which the device belongs. |
 |**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | 
 | **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval |
 | **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
@@ -41,7 +41,7 @@ Update Event that comes directly from the service-side. The event has only servi
 | **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)|  `Azure`| |
 | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
 | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
-| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678`  | Azure AD tenant ID |
+| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678`  | Microsoft Entra tenant ID |
 | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran  can also be the same as EventDateTimeUTC in some cases. |
 | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType |
 | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index c85d070cc9..ba81be193a 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -29,8 +29,8 @@ Alert for both client and service updates. Contains information that needs atten
 | **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
 | **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert |
 | **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
+| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
 | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
 | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
 | **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
@@ -46,7 +46,7 @@ Alert for both client and service updates. Contains information that needs atten
 | **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
 | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
 | **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
+| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
 | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
 | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
 | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
deleted file mode 100644
index c3c3acaa55..0000000000
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-title: Windows 10 edition upgrade (Windows 10)
-description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: conceptual
-ms.collection:
-  - highpri
-  - tier2
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Windows 10 edition upgrade
-
-**Applies to**
-
--   Windows 10
-
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
-
-
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
-
-> [!NOTE]
-> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
-
-> [!TIP]
-> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Configuration Manager.
-
-![not supported.](../images/x_blk.png) (X) = not supported</br>
-![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
-![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required<br>
-
-<!-- OLD TABLE and key
-X = unsupported <BR>
-&#x2714; (green) = supported; reboot required<BR>
-&#x2714; (blue) = supported; no reboot required
-
-|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile |
-|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a provisioning package |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a command-line tool |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Entering a product key manually |![supported.](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Purchasing a license from the Microsoft Store |![supported.](../images/check_grn.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |
--->
-
-| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
-| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-
-> [!NOTE]
-> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
-> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
-> <br>
-
-## Upgrade using mobile device management (MDM)
-- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
-
-
-## Upgrade using a provisioning package
-Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
-
-- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
-
-For more info about Windows Configuration Designer, see these articles:
-- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
-
-
-## Upgrade using a command-line tool
-You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
-
-`changepk.exe /ProductKey <enter your new product key here>`
-
-You can also upgrade using slmgr.vbs and a [KMS client setup key](/windows-server/get-started/kmsclientkeys).  For example, the following command will upgrade to Windows 10 Enterprise.
-
-`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
-
-
-## Upgrade by manually entering a product key
-If you're upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
-
-**To manually enter a product key**
-
-1.  From either the Start menu or the Start screen, type 'Activation' and select on the Activation shortcut.
-
-2.  Select **Change product key**.
-
-3.  Enter your product key.
-
-4.  Follow the on-screen instructions.
-
-## Upgrade by purchasing a license from the Microsoft Store
-If you don't have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
-
-**To upgrade through the Microsoft Store**
-
-1.  From either the **Start** menu or the **Start** screen, type 'Activation' and select on the Activation shortcut.
-
-2.  Select **Go to Store**.
-
-3.  Follow the on-screen instructions.
-
-    > [!NOTE]
-    > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
-
-## License expiration
-
-Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
-
-Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key isn't supported.  You also can't downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This article doesn't discuss version downgrades.
-
-> [!NOTE]
-> If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
-
-### Scenario example
-
-Downgrading from Enterprise
-
-- Original edition: **Professional OEM**
-- Upgrade edition: **Enterprise**
-- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
-
-You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
-
-### Supported Windows 10 downgrade paths
-
-✔ = Supported downgrade path
-
-S = Supported; Not considered a downgrade or an upgrade
-
-[blank] = Not supported or not a downgrade
-
-**Destination Edition: (Starting)**
-
-![Supported downgrade path.](../images/check_grn.png) (green checkmark) = Supported downgrade path</br>
-![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) (blue checkmark) = Not considered a downgrade or an upgrade<br>
-![not supported.](../images/x_blk.png) (X) = not supported or not a downgrade</br>
-
-| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
-| **Home** | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Pro** | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Pro Education** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Education** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) |
-| **Enterprise LTSC** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) |
-| **Enterprise** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) |
-
-> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
-
-Some slightly more complex scenarios aren't represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
-
-## Related articles
-
-[Windows 10 upgrade paths](./windows-10-upgrade-paths.md)<br>
-[Windows 10 volume license media](../windows-10-media.md)<br>
-[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 9cd2a2aca9..7686e7d15b 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -11,18 +11,26 @@ ms.collection:
   - highpri
   - tier2
 ms.technology: itpro-deploy
-ms.date: 10/28/2022
+ms.date: 10/02/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Windows 10 upgrade paths
 
-**Applies to**
-
--   Windows 10
+> [!IMPORTANT]
+>
+> This article deals with upgrading from Windows versions that are out of support. For a current version of this article, please see [Windows upgrade paths](windows-upgrade-paths.md) that deals with currently supported versions of Windows.
+>
+> For more information, see:
+>
+> - [Windows 8.1 support ended on January 10, 2023](https://support.microsoft.com/windows/windows-8-1-support-ended-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93).
+> - [Windows 7 support ended on January 14, 2020](https://support.microsoft.com/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962).
+> - [FAQ about Windows 7 ESU](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).
 
 ## Upgrade paths
 
-This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. 
+This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. Paths include upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported.
 
 If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
 
@@ -30,9 +38,9 @@ If you're also migrating to a different edition of Windows, see [Windows 10 edit
 
 - **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC isn't supported. Windows 10 LTSC 2015 didn't block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
 
-  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You'll need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
 
-- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown in the following tables. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data is kept but applications and settings are removed during the upgrade process.
 
 - **Windows 8.0**: You can't upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
 
diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md
new file mode 100644
index 0000000000..44c3c79c40
--- /dev/null
+++ b/windows/deployment/upgrade/windows-edition-upgrades.md
@@ -0,0 +1,213 @@
+---
+title: Windows edition upgrade
+description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported.
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: frankroj
+ms.topic: conceptual
+ms.collection:
+  - highpri
+  - tier2
+ms.technology: itpro-deploy
+ms.date: 10/02/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Windows edition upgrade
+
+With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported. For information on what edition of Windows is right for you, see the following articles:
+
+- [Compare Windows 11 Editions](https://www.microsoft.com/windows/business/compare-windows-11).
+- [Explore Windows 11 Pro features](https://www.microsoft.com/windows/business/windows-11-pro).
+- [Windows 10 Pro vs Windows 11 Pro](https://www.microsoft.com/windows/business/windows-10-pro-vs-windows-11-pro).
+- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882).
+- [Windows For Business](https://www.microsoft.com/windows/business).
+
+For a comprehensive list of all possible upgrade paths to Windows, see [Windows upgrade paths](windows-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section in this article.
+
+The following table shows the methods and paths available to change the edition of Windows that is running on your computer.
+
+| Edition upgrade | MDM | Provisioning<br>package | Command-<br>line tool | Manually entering<br>product key |
+|-----| ----- | ----- | ----- | ----- |
+| **Home > Pro** | ❌ | ❌ | ❌ | ☑️ |
+| **Home > Pro for Workstations** | ❌ | ❌ | ❌ | ☑️|
+| **Home > Pro Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Home > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro > Pro for Workstations** | ✅ | ✅ | ✅ | ✅ |
+| **Pro > Pro Education** | ✅ | ✅ | ✅ | ✅ |
+| **Pro > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro > Enterprise** | ✅ | ✅ | ✅ | ✅ |
+| **Pro for Workstations > Pro Education** | ✅ | ✅ | ✅ | ✅ |
+| **Pro for Workstations > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro for Workstations > Enterprise** | ✅ | ✅ | ✅ | ✅ |
+| **Pro Education > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Enterprise > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+
+- ✅ = Supported, no reboot required.
+- ☑️ = Supported, but reboot required.
+- ❌ = Not supported.
+- MDM = Modern device management.
+
+> [!NOTE]
+>
+> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
+>
+> - Edition upgrades via Microsoft Store for Business are no longer available with the retirement of the Microsoft Store for Business. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring) and [Microsoft Store for Business and Microsoft Store for Education overview](/microsoft-store/microsoft-store-for-business-overview).
+
+> [!TIP]
+> Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
+
+## Upgrade using modern device management (MDM)
+
+To upgrade desktop editions of Windows using MDM, enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
+
+For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
+
+## Upgrade using a provisioning package
+
+Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition of Windows. Windows Configuration Designer is available as part of the Windows Assessment and Deployment Kit (Windows ADK) or as a stand-alone Microsoft Store app. Download the Windows Configuration Designer from one of the following locations:
+
+- [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) - When installing the ADK, make sure to select **Configuration Designer**. After installation, Windows Configuration Designer can be found in the Start Menu under **Windows Kits** > **Windows Imaging and Configuration Designer**.
+
+- [Windows Configuration Designer](https://apps.microsoft.com/store/detail/windows-configuration-designer/9NBLGGH4TX22) - Microsoft Store app. After installation, Windows Configuration Designer can be found in the Start menu as **Windows Configuration Designer**.
+  > [!div class="nextstepaction"]
+  > [Download Windows Configuration Designer from the Microsoft Store](ms-windows-store://pdp/?ProductId=9NBLGGH4TX22)
+
+To create a provisioning package for upgrading desktop editions of Windows:
+
+1. Open Windows Configuration Designer.
+
+1. Select **Advanced provisioning**.
+
+1. In the **New project** window that opens:
+
+    1. Under **Enter project details**, give the project a name and then select the **Next** button.
+
+    1. Under **Choose which settings to view and configure**, select **All Windows desktop editions** and then select the **Next** button.
+
+    1. Under **Import a provisioning package (optional)**, select the **Finish** button.
+
+1. Under **Available customizations**, expand **Runtime settings** > **EditionUpgrade** and then select **ChangeProductKey**.
+
+1. In the **EditionUpgrade/ChangeProductKey** pane, next to **ChangeProductKey**, enter the product key for the upgraded edition.
+
+1. Under the **File** menu, select **Save**.
+
+1. Under the **Export** menu, select **Provisioning package**.
+
+1. Step through the **Build** wizard to create the provisioning package, making sure to save the provisioning package to a known location.
+
+For more info about Windows Configuration Designer, see the following articles:
+
+- [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
+
+## Upgrade using a command-line tool
+
+The `changepk.exe` command-line tool can be used to upgrade devices to a supported edition of Windows:
+
+```cmd
+changepk.exe /ProductKey <product_key>`
+```
+
+Upgrades can also be performed using `slmgr.vbs` and a [KMS client setup key](/windows-server/get-started/kmsclientkeys).  For example:
+
+```cmd
+cscript.exe c:\windows\system32\slmgr.vbs /ipk <product_key>
+```
+
+## Upgrade by manually entering a product key
+
+If only a few devices are being upgraded devices, a product key for the upgraded edition can be entered manually. To manually enter a product key:
+
+1. Right click on the **Start** menu and select **Run**.
+
+1. In the **Run** window, next to **Open**, enter
+
+   `ms-settings:activation`
+  
+   and then select **OK**.
+
+1. Select **Change product key**.
+
+1. Enter your product key.
+
+1. Follow the on-screen instructions.
+
+Alternatively, select the following link to automatically open the **Settings** app to the activation page:
+
+> [!div class="nextstepaction"]
+> [Activation](ms-settings:activation)
+
+## Upgrade by purchasing a license from the Microsoft Store
+
+If you don't have a product key, you can upgrade your edition of Windows through the Microsoft Store. To upgrade through the Microsoft Store:
+
+1. Right click on the **Start** menu and select **Run**.
+
+1. In the **Run** window, next to **Open**, enter
+
+   `ms-windows-store://windowsupgrade/`
+  
+   and then select **OK**.
+
+1. Follow the on-screen instructions.
+
+Alternatively, select the following link to automatically open the Microsoft Store to the page for upgrading the edition of Windows:
+
+> [!div class="nextstepaction"]
+> [Upgrade Windows Edition](ms-windows-store://windowsupgrade/)
+
+## License expiration
+
+Volume license customers whose license has expired need to change the edition of Windows to an edition with an active license. Downgrading the edition of Windows is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
+
+The following scenarios aren't supported:
+
+- Downgrading Windows to a pervious version by entering a different product key, for example from Windows 11 Pro to Windows 10 Pro.
+
+- Downgrading from a later version to an earlier version of the same edition of Windows, for example from Windows 11 Pro 22H2 to Windows 11 Pro 22H1, unless using rollback.
+
+> [!NOTE]
+>
+> If you're using [Windows subscription activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices automatically revert to the original edition when the grace period expires.
+
+## Supported Windows downgrade paths
+
+| Edition | Home | Pro | Pro for<br> Workstations | Pro<br>Education | Education | Enterprise<br>LTSC | Enterprise |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
+| **Home** | - | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
+| **Pro** | ❌ | - | ❌ | ❌ | ❌ | ❌ | ❌ |
+| **Pro for Workstations** | ❌ | ❌ | - | ❌ | ❌ | ❌ | ❌ |
+| **Pro Education** | ❌ | ❌ | ❌ | - | ❌ | ❌ | ❌ |
+| **Education** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
+| **Enterprise LTSC** | ❌ | ❌ | ❌ | ❌ | ❌ | - | ❌ |
+| **Enterprise** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
+
+- ✅ = Supported downgrade path.
+- ❌ = not supported or not a downgrade.
+- \- = Not considered a downgrade or an upgrade.
+
+> [!NOTE]
+>
+> Windows **N** and Windows **KN** SKUs follow the same rules shown in the table.
+
+The table may not represent more complex scenarios. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key. You can then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
+
+### Scenario example: Downgrading from Enterprise
+
+- Original edition: **Professional OEM**
+- Upgrade edition: **Enterprise**
+- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
+
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
+
+## Related articles
+
+- [Windows upgrade paths](./windows-upgrade-paths.md)
+- [Volume Licensing Service Center](/licensing/)
+- [Windows Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 81fcb592e6..4a534442ee 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -37,7 +37,7 @@ You can use USMT to automate migration during large deployments of the Windows o
 
 > [!IMPORTANT]
 >
-> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Azure AD joined devices. 
+> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Microsoft Entra joined devices. 
 
 ## Upgrade and migration considerations
 Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
new file mode 100644
index 0000000000..c8ea3f2dda
--- /dev/null
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -0,0 +1,71 @@
+---
+title: Windows upgrade paths 
+description: Upgrade to current versions of Windows from a previous version of Windows
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: frankroj
+manager: aaroncz
+ms.author: frankroj
+ms.topic: conceptual
+ms.collection:
+  - highpri
+  - tier2
+ms.technology: itpro-deploy
+ms.date: 10/02/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Windows upgrade paths
+
+## Upgrade paths
+
+This article provides a summary of available upgrade paths to currently supported versions of Windows. You can upgrade to currently supported versions of Windows from previous versions of Windows that are also still supported. Paths include upgrading from one release of Windows to a later release of the same version of Windows. Migrating from one edition of Windows to a different edition of the same release is also supported.
+
+> [!NOTE]
+>
+> If you're also migrating to a different edition of Windows, see [Windows edition upgrade](windows-edition-upgrades.md). The [Windows edition upgrade](windows-edition-upgrades.md) article describes methods and supported paths to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't always maintained when the Windows edition is downgraded.
+
+- **Windows version upgrade**: You can directly upgrade any General Availability Channel version of Windows to a newer, supported General Availability Channel version of Windows, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
+
+- **Upgrade from Windows LTSC to Windows General Availability Channel**: Upgrade from Windows LTSC to Windows General Availability Channel is available when upgrading to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise 22H2. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if apps need to be kept. If the switch isn't used, the option **Keep personal files and apps** option is grayed out. The command line to perform the upgrade is:
+  
+  ```cmd
+  setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
+  ```
+
+  where **xxxxx-xxxxx-xxxxx-xxxxx-xxxxx** is the Windows General Availability Channel product key. For example, if using a KMS, the command line for Windows Enterprise would be:
+  
+  ```cmd
+  setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43
+  ```
+
+  For additional product keys for use with KMS, see [Key Management Services (KMS) client activation and product keys:Generic Volume License Keys (GVLK)](/windows-server/get-started/kms-client-activation-keys#generic-volume-license-keys-gvlk).
+
+  > [!IMPORTANT]
+  > In-place upgrade from Windows General Availability Channel to Windows LTSC isn't supported.
+  >
+  >
+  > Windows 10 LTSC 2015 didn't block this in-place upgrade path even though it isn't supported. This issue was corrected in the Windows 10 LTSC 2016 release. Windows 10 LTSC 2016 only allows data-only and clean install options.
+
+- **Windows N/KN**: **Windows N** and **Windows KN** SKUs (editions without media-related functionality) follow the same upgrade paths shown in the following tables. If the pre-upgrade and post-upgrade editions aren't the same type, for example, Windows 10 Pro N to Windows 11 Pro, personal data is kept but applications and settings are removed during the upgrade process.
+
+## Supported Windows upgrade paths
+
+| Windows Edition | **Windows Home** | **Windows Pro** | **Windows Pro Education** | **Windows Education** | **Windows Enterprise** |
+|---|---|---|---|---|---|
+| **Windows Home**  | ❌ | ✅  | ✅  | ✅  | ❌ |
+| **Windows Pro**   | ⬇️ | ❌ | ✅   | ✅  | ✅  |
+| **Windows Education**  | ❌ | ❌ | ❌ | ❌ | ⬇️  |
+| **Windows Enterprise**  | ❌ | ❌ | ❌ | ✅ | ❌ |
+
+- ✅ = Full upgrade is supported including personal data, settings, and applications.
+- ❌ = Upgrade isn't supported or not applicable.
+- ⬇️ = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+## Related articles
+
+- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows edition upgrade](windows-edition-upgrades.md)
\ No newline at end of file
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index b8a8f9f4dc..e32b8c614c 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -248,9 +248,11 @@ You should also note the following items:
 
 Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
 
-### User profiles from Active Directory to Azure Active Directory
+<a name='user-profiles-from-active-directory-to-azure-active-directory'></a>
 
-USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory.
+### User profiles from Active Directory to Microsoft Entra ID
+
+USMT doesn't support migrating user profiles from Active Directory to Microsoft Entra ID.
 
 ## Related articles
 
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index bfd4b4c563..df89fc602d 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -24,13 +24,13 @@ This document describes how to configure virtual machines (VMs) to enable [Windo
 Deployment instructions are provided for the following scenarios:
 
 1. [Active Directory-joined VMs](#active-directory-joined-vms)
-2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms)
+2. [Microsoft Entra joined VMs](#azure-active-directory-joined-vms)
 3. [Azure Gallery VMs](#azure-gallery-vms)
 
 ## Requirements
 
 - VMs must be running a supported version of Windows Pro edition.
-- VMs must be joined to Active Directory or Azure Active Directory (Azure AD).
+- VMs must be joined to Active Directory or Microsoft Entra ID.
 - VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
 
 ## Activation
@@ -40,13 +40,13 @@ Deployment instructions are provided for the following scenarios:
 - The VM is running a supported version of Windows.
 - The VM is hosted in Azure, an authorized outsourcer, or another Qualified Multitenant Hoster (QMTH).
 
-    When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
+    When a user with VDA rights signs in to the VM using their Microsoft Entra credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
 
 ### Scenario 2
 
 - The Hyper-V host and the VM are both running a supported version of Windows.
 
-    [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure AD account.
+    [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using a Microsoft Entra account.
 
 ### Scenario 3
 
@@ -91,7 +91,7 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
     6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
 
         > [!NOTE]
-        > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+        > This step is different for [Microsoft Entra joined VMs](#azure-active-directory-joined-vms).
 
     7. On the Add applications page, add applications if desired. This step is optional.
 
@@ -111,16 +111,18 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
 
 8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
 
-## Azure Active Directory-joined VMs
+<a name='azure-active-directory-joined-vms'></a>
+
+## Microsoft Entra joined VMs
 
 > [!IMPORTANT]
-> Azure AD provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Azure AD-joined and deployed won't need to be recreated.
+> Microsoft Entra provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Microsoft Entra joined and deployed won't need to be recreated.
 
-For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+For Microsoft Entra joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
 
 - During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
 
-- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
+- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Microsoft Entra ID**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
 
 - When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
 
@@ -154,7 +156,7 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
 
 9. On the Set up network page, choose **Off**.
 
-10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+10. On the Account Management page, choose **Enroll in Microsoft Entra ID**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
 
 11. On the Add applications page, add applications if desired. This step is optional.
 
@@ -186,7 +188,7 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
 
     The values `enablecredsspsupport` and `authentication level` should each appear only once in the file.
 
-6. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+6. Save your changes, and then use this custom RDP file with your Microsoft Entra credentials to connect to the Azure VM.
 
 ## Related articles
 
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 3401c97658..b1056c9728 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -8,155 +8,191 @@ author: frankroj
 manager: aaroncz
 ms.author: frankroj
 ms.localizationpriority: medium
-ms.date: 11/07/2022
+ms.date: 10/16/2023
 ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Activate using Key Management Service
 
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
 > [!TIP]
-> Are you looking for information on retail activation?
+>
+> For information on retail activation, see the following articles:
 >
 > - [Activate Windows](https://support.microsoft.com/help/12440/)
 > - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
-There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
+Volume activation can be performed via Key Management Service (KMS). KMS can be hosted either on a client version of Windows or on Windows Server.
 
-- Host KMS on a computer running Windows 10
-- Host KMS on a computer running Windows Server 2012 R2
-- Host KMS on a computer running an earlier version of Windows
+## Key Management Service in a client version of Windows
 
-Check out [Windows 10 Volume Activation Tips](/archive/blogs/askcore/windows-10-volume-activation-tips).
+Installing a KMS host key on a computer running a client version of Windows allows the following scenarios against this KMS host:
 
-## Key Management Service in Windows 10
+- Activation of other computers running the same client version of Windows.
+- Activation of other computers running earlier client versions of Windows.
 
-Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
+Clients locate the KMS server by using resource records in DNS, so some configuration of DNS is required. This scenario can be beneficial if the organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
 
-Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
-To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
+To enable KMS functionality, a KMS key is installed on a KMS host. The host is then activated over the Internet or by phone using Microsoft activation services.
 
-### Configure KMS in Windows 10
+### Configure KMS in a client version of Windows
 
-To activate, use the `slmgr.vbs` command. Open an elevated command prompt and run one of the following commands:
+KMS can be activated on client versions of Windows by using the `slmgr.vbs`. To activate KMS on a client version of Windows, follow these steps:
 
-- To install the KMS key, run the command `slmgr.vbs /ipk <KmsKey>`.
+1. Open an elevated Command Prompt window.
 
-- To activate online, run the command `slmgr.vbs /ato`.
+1. In the elevated Command Prompt window, run the following command to install the KMS key:
 
-- To activate by telephone, follow these steps:
+   ```cmd
+   cscript.exe slmgr.vbs /ipk <KMS_Key>
+   ```
 
-  1. Run `slmgr.vbs /dti` and confirm the installation ID.
+1. Once the KMS key has been installed, it needs to be activated using one of the following methods:
 
-  2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+   - To activate online, in the elevated Command Prompt window, run the following command:
 
-  3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+    ```cmd
+    cscript.exe slmgr.vbs /ato
+    ```
 
-  4. Run `slmgr.vbs /atp \<confirmation ID\>`.
+   - To activate by telephone, follow these steps:
 
-For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
+      1. In the elevated Command Prompt window, run the following command:
 
-## Key Management Service in Windows Server 2012 R2
+         ```cmd
+         cscript.exe slmgr.vbs /dti
+         ```
 
-Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
+         This command should display the installation ID.
 
-> [!NOTE]
-> You cannot install a client KMS key into the KMS in Windows Server.
+      1. Call the [Microsoft Volume License Key assisted support telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers). Follow the voice prompts and when prompted, enter the installation ID obtained in the previous step.
 
-This scenario is commonly used in larger organizations that don't find the overhead of using a server a burden.
+      1. Continue following the voice prompts. When prompted, write down the 48-digit confirmation ID for OS activation given by the prompts.
 
-> [!NOTE]
-> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [Error 0xC004F015 when you activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
+      1. In the elevated Command Prompt window, run the following command:
 
-### Configure KMS in Windows Server 2012 R2
+         ```cmd
+         cscript.exe slmgr.vbs /atp <confirmation_ID_from_previous_step>
+         ```
 
-1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
+## Key Management Service in Windows Server
 
-2. Launch Server Manager.
+Installing a KMS host key on a computer running Windows Server allows you to activate computers running the same or earlier versions of Windows Server. Additionally, it also allows activation of client versions of Windows.
 
-3. Add the Volume Activation Services role, as shown in Figure 4.
+> [!IMPORTANT]
+>
+> You can't install a client KMS key into the KMS in Windows Server.
 
-   ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg)
+### Configure KMS in Windows Server
 
-   **Figure 4**. Adding the Volume Activation Services role in Server Manager
+1. Sign in to a Windows Server server with an account that has local administrative credentials.
 
-4. When the role installation is complete, select the link to launch the Volume Activation Tools (Figure 5).
+1. Open **Server Manager**.
 
-   ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg)
+1. Under the **Manage** menu in **Server Manager**, select **Add Roles and Features**. The **Add Roles and Features Wizard** window opens.
 
-   **Figure 5**. Launching the Volume Activation Tools
+1. In the **Add Roles and Features Wizard**:
 
-5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This computer can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
+   1. In the **Before you begin** page, select the **Next >** button.
 
-   ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg)
+   1. In the **Select installation type**/**Installation Type** page, select **Role-based or feature-based installation**, and then select the **Next >** button.
 
-   **Figure 6**. Configuring the computer as a KMS host
+   1. In the **Select destination server**/**Server Selection** page, make sure **Select a server from the server pool** is selected. Under **Server Pool**, select the server on which to install KMS, and then select the **Next >** button.
 
-6. Install your KMS host key by typing it in the text box, and then select **Commit** (Figure 7).
+   1. In the **Select server roles**/**Server Roles** page, under **Roles**, select **Volume Activation Services**, and then select the **Next >** button.
 
-   ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg)
+   1. In the **Add features that are required for Volume Activation Services?** window that appears, select the **Add Features** button, and then select the **Next >** button.
 
-   **Figure 7**. Installing your KMS host key
+   1. In the **Select features**/**Features** page, select the **Next >** button.
 
-7. If asked to confirm replacement of an existing key, select **Yes**.
-8. After the product key is installed, you must activate it. Select **Next** (Figure 8).
+   1. In the **Volume Activation Services** page, select the **Next >** button.
 
-   ![Activating the software.](../images/volumeactivationforwindows81-08.jpg)
+   1. In the **Confirm installation selections**/**Confirmation** page, select the **Install** button.
 
-   **Figure 8**. Activating the software
+   1. Installation can take a few minutes to complete. Once the role installation completes, select the **Close** button.
 
-   The KMS key can be activated online or by phone. See Figure 9.
+1. Go to the **Start Menu** > **Windows Administrative Tools** and select **Volume Activation Tools**. The **Volume Activation Tools** window appears.
 
-   ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg)
+1. In the **Volume Activation Tools** window:
 
-   **Figure 9**. Choosing to activate online
+   1. In the **Introduction to Volume Activation Tools**/**Introduction** page, select the **Next >** button.
 
-Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met.
+   1. In the **Select Volume Activation Method**/**Activation Type** page, select the **Key Management Service (KMS)** option, and specify the computer that acts as the KMS host. This computer can be the server on which the KMS role was installed, or another server/client computer. After the server/computer has been specified, select the **Next >** button.
+
+   1. In the **Manage KMS Host**/**Product Key Management** page, enter in the KMS host key in the text box under **Install your KMS host key**, and then select the **Commit** button.
+
+   1. If asked to confirm replacement of an existing key, select **Yes**.
+
+   1. After the product key is installed, in the **Product Key Installation Succeeded**/**Product Key Management** page, make sure **Activate Product** is selected, and then select **Next >** button to begin the activation process.
+
+   1. In the **Activate Product**/**Product Key Management** page, make sure the current product is shown under the **Select product** menu, and then select the desired activation method. The available methods are:
+
+      - **Active online** - If selecting this option, select the **Commit** button to finish activating the product online.
+
+      - **Active by phone** - If selecting this option:
+
+         1. Select the desired location from the **Select your location** drop-down menu, and then select the **Next >** button.
+
+         1. In the **Activate by Phone**/**Product Key Management** page, follow the instructions to activate the product by phone.
+
+         1. Once finished, select the **Commit** button.
+
+   1. In the **Activation Succeeded**/**Product Key Management** page, review the configuration options:
+
+      - If the configuration options are as expected, select the **Close** button.
+
+      - If configuration changes are desired:
+
+         1. Select the **Next >** button.
+
+         1. In the **Configure Key Management Service Options/Product Key Management** page, make the desired configuration changes, and then select the **Commit** button.
+
+         1. In the **Configuration Succeeded**/**Configuration** page, select the **Close** button.
+
+Once the KMS host is configured, it begins to listen for activation requests. However, it doesn't activate clients successfully until the activation threshold is met.
 
 ## Verifying the configuration of Key Management Service
 
-KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
+KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests are processed. The verification process described here increments the activation count each time a client computer contacts the KMS host. If the activation threshold hasn't been reached, the verification generates an error message instead of a confirmation message.
 
 > [!NOTE]
-> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
+>
+> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that doesn't first try to activate itself by using Active Directory-based activation. For example, a client computer that is a workgroup computer that isn't joined to a domain.
 
 To verify that KMS volume activation works, complete the following steps:
 
 1. On the KMS host, open the event log and confirm that DNS publishing is successful.
 
-2. On a client computer, open a Command Prompt window and run the command `Slmgr.vbs /ato`.
+2. On a client computer, open an elevated Command Prompt window and run the command:
+
+   ```cmd
+   cscript.exe slmgr.vbs /ato
+   ```
 
    The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
 
-3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command `Slmgr.vbs /dlv`.
+3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command
+
+   ```cmd
+   cscript.exe slmgr.vbs /dlv
+   ```
 
    The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated.
 
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
+For more information about the use and syntax of the script `slmgr.vbs`, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
 
-## Key Management Service in earlier versions of Windows
-
-If you've already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
-
-1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2. Request a new KMS host key from the Volume Licensing Service Center.
-3. Install the new KMS host key on your KMS host.
-4. Activate the new KMS host key by running the slmgr.vbs script.
-
-For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
+> [!IMPORTANT]
+>
+> Clients require RPC over TCP/IP connectivity to the KMS host to successfully activate. For more information, see [Key Management Services (KMS) activation planning: Network requirements](/windows-server/get-started/kms-activation-planning#network-requirements) and [Remote Procedure Call (RPC) errors troubleshooting guidance](/troubleshoot/windows-client/networking/rpc-errors-troubleshooting).
 
 ## Related articles
 
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+- [Key Management Services (KMS) activation planning](/windows-server/get-started/kms-activation-planning).
diff --git a/windows/deployment/volume-activation/images/sql-instance.png b/windows/deployment/volume-activation/images/sql-instance.png
deleted file mode 100644
index 379935e01c..0000000000
Binary files a/windows/deployment/volume-activation/images/sql-instance.png and /dev/null differ
diff --git a/windows/deployment/volume-activation/images/vamt-db.png b/windows/deployment/volume-activation/images/vamt-db.png
deleted file mode 100644
index 6c353fe835..0000000000
Binary files a/windows/deployment/volume-activation/images/vamt-db.png and /dev/null differ
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index c204b95d16..455f978c0a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,85 +1,116 @@
 ---
-title: Install VAMT (Windows 10)
-description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+title: Install VAMT
+description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows.
 ms.reviewer: nganguly
 manager: aaroncz
 ms.author: frankroj
 ms.prod: windows-client
 author: frankroj
 ms.localizationpriority: medium
-ms.date: 11/07/2022
+ms.date: 10/13/2023
 ms.topic: article
 ms.technology: itpro-fundamentals
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Install VAMT
 
-This article describes how to install the Volume Activation Management Tool (VAMT).
-
-## Installing VAMT
-
-You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+This article describes how to install the Volume Activation Management Tool (VAMT). VAMT is installed as part of the Windows Assessment and Deployment Kit (ADK) for Windows.
 
 >[!IMPORTANT]
->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
+>
+> VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you don't have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
 
 >[!NOTE]
->The VAMT Microsoft Management Console snap-in ships as an x86 package.
+>
+> The VAMT Microsoft Management Console snap-in ships as an x86 package.
 
-### Requirements
+## Requirements
 
-- [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
+- [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied.
 
-- Latest version of the [Windows 10 ADK](/windows-hardware/get-started/adk-install)
+- Latest version of the [Windows ADK](/windows-hardware/get-started/adk-install).
 
-- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
+- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-downloads) version. The latest is recommended.
 
-- Alternatively, any supported **full** SQL instance
+- Alternatively, any supported **full** SQL instance.
 
-### Install SQL Server Express / alternatively use any full SQL instance
+## Install SQL Server Express / alternatively use any full SQL instance
 
-1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+1. Download and open the [SQL Server Express](https://aka.ms/sqlexpress) package.
 
-2. Select **Basic**.
+1. For **Select an installation type:**, select **Basic**.
 
-3. Accept the license terms.
+1. In the **Microsoft SQL Server Server License Terms** screen, accept the license terms by selecting the **Accept** button.
 
-4. Enter an install location or use the default path, and then select **Install**.
+1. In the **Specify SQL Server install location** screen under **INSTALL LOCATION \*:**, specify an install location or use the default path, and then select the **Install** button.
 
-5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
+1. Once the installation is complete, in the **Installation Has completed successfully!** page, under **INSTANCE NAME**, note the instance name for the installation. The instance name will be used later in the [Configure VAMT to connect to SQL Server Express or full SQL Server](#configure-vamt-to-connect-to-sql-server-express-or-full-sql-server) section.
 
-    ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png)
+1. Once the instance name has been noted, select the **Close** button, and then select the **Yes** button to confirm exiting the installer.
 
-### Install VAMT using the ADK
+## Install VAMT using the ADK
 
-1. Download the latest version of [Windows 10 ADK](/windows-hardware/get-started/adk-install).
+1. Download the latest version of [Windows ADK](/windows-hardware/get-started/adk-install).
 
-   If an older version is already installed, it's recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
+   If an older version is already installed, it's recommended to first uninstall the older ADK before installing the latest version. Existing VAMT data is maintained in the VAMT database.
 
-2. Enter an install location or use the default path, and then select **Next**.
+1. Open the ADK installer that was downloaded in the previous step. The **Windows Assessment and Deployment Kit** window opens.
 
-3. Select a privacy setting, and then select **Next**.
+1. In the **Windows Assessment and Deployment Kit** window:
 
-4. Accept the license terms.
+   1. At the **Specify Location** page, under **Install Path:**, enter an install location or use the default path. It's recommended to install at the default path. Once done, select the **Next** button.
 
-5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. If desired, you can select additional features to install as well.
+   1. In the **Windows Kits Privacy** page, select a privacy setting, and then select the **Next** button.
 
-6. On the completion page, select **Close**.
+   1. In the **License Agreement** page, accept the license terms by selecting the **Accept** button.
 
-### Configure VAMT to connect to SQL Server Express or full SQL Server
+   1. In the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**. If desired, select any additional features to install. Once done, select the **Install** button.
 
-1. Open **Volume Active Management Tool 3.1** from the Start menu.
+   1. Once installation is complete, the **Welcome to the Windows Assessment and Deployment Kit!** page is displayed. Select the **Close** button.
 
-2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
+## Configure VAMT to connect to SQL Server Express or full SQL Server
 
-   ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png)
+1. In the Start Menu under **Windows Kits**, select **Volume Active Management Tool 3.1**. The **Database Connection Settings** window opens.
 
-   For remote SQL Server, use `servername.yourdomain.com`.
+1. In the **Database Connection Settings** window:
+
+   1. Next to **Server:**, enter the server instance name as determined in the [Install SQL Server Express / alternatively use any full SQL instance](#install-sql-server-express--alternatively-use-any-full-sql-instance) section. If SQL is remote, make sure to use the FQDN.
+
+   1. Next to **Database:**, add a name for the database.
+
+   1. Once the database server and database names have been entered, select the **Connect** button.
+
+   1. Select the **Yes** button to create the database.
 
 ## Uninstall VAMT
 
-To uninstall VAMT using the **Programs and Features** Control Panel:
+To uninstall VAMT:
 
-1. Open **Control Panel** and select **Programs and Features**.
+1. Right-click on the Start Menu and select **Settings**.
 
-2. Select **Assessment and Deployment Kit** from the list of installed programs and select **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
+1. Select **Apps** in the left hand pane.
+
+1. In the right hand pane under **Apps**, select **Installed apps**.
+
+   Alternatively, select the following link to automatically open the **Settings** app to the **Installed apps** page:
+
+   > [!div class="nextstepaction"]
+   > [Installed apps](ms-settings:appsfeatures)
+
+1. Scroll through the list of installed apps and find **Windows Assessment and Deployment Kit**.
+
+1. Select the three dots **...** next to **Windows Assessment and Deployment Kit** and then select **Modify**. The **Windows Assessment and Deployment Kit** window opens.
+
+1. In the **Windows Assessment and Deployment Kit** window:
+
+   1. In the **Maintain your Windows Assessment and Deployment Kit features** page, select **Change**, and then select the **Next** button.
+
+   1. In the **Select the features you want to change** page, uncheck **Volume Activation Management Tool (VAMT)**, and then select the **Change** button.
+
+   1. Once the uninstall is complete, the **Change is complete.** page is displayed. Select the **Close** button.
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 18e44ca25b..c216cfa830 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -44,7 +44,7 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
-|[Azure Active Directory / MDM](#dynamic-provisioning)|The device is automatically joined to Azure Active Directory and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
+|[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
 |[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
 
 ### Traditional
@@ -110,9 +110,11 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on,
 
 Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
 
-### Azure Active Directory (Azure AD) join with automatic mobile device management (MDM) enrollment
+<a name='azure-active-directory-azure-ad-join-with-automatic-mobile-device-management-mdm-enrollment'></a>
 
-In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+### Microsoft Entra join with automatic mobile device management (MDM) enrollment
+
+In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 ### Provisioning package configuration
 
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 241c5344cc..93cf409b93 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -23,9 +23,9 @@ Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel o
 Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
 
 - Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
-- Azure Active Directory (Azure AD) available for identity management
+- Microsoft Entra available for identity management
 
-You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
+You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Microsoft Entra credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
 
 Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
 
@@ -183,6 +183,6 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition fe
 ## Related articles
 
 [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)<br>
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
+[Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
 [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<br>
 [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)<br>
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
deleted file mode 100644
index c57dd5bce0..0000000000
--- a/windows/deployment/windows-10-media.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Windows 10 volume license media
-description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
----
-
-# Windows 10 volume license media
-
-*Applies to:*
-
-- Windows 10
-
-With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
-
-## Windows 10 media
-
-To download Windows 10 installation media from the VLSC, use the product search filter to find "Windows 10."  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
-
-When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Education", you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
-
-> [!NOTE]
-> If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
-
-Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
-
-### Language packs
-
-- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
-
-### Features on demand
-
-[Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
-
-Features on demand is a method for adding features to your Windows 10 image that aren't included in the base operating system image.
-
-## Related articles
-
-[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
-<br>[Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
-<br>[Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
-<br>[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
-<br>[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 59914650f4..6b8718bf68 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -48,7 +48,7 @@ Windows Enterprise E3 and E5 are available as online services via subscription.
 - Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
 - Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
 
-Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure Active Directory (Azure AD) using [Azure AD Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
 
 > [!NOTE]
 > Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11.
@@ -59,7 +59,7 @@ Subscription activation for Education works the same as the Enterprise edition,
 
 ## Inherited activation
 
-Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses an Azure AD account on a VM.
+Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
 
 To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V.
 
@@ -80,7 +80,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 
 - **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
 
-- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Azure AD for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Azure AD, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Microsoft Entra ID for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Microsoft Entra ID, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
 
 - **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
 
@@ -96,7 +96,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 ### Windows Enterprise requirements
 
 > [!NOTE]
-> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
+> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
 
 > [!IMPORTANT]
 > As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
@@ -104,8 +104,8 @@ The following list illustrates how deploying Windows client has evolved with eac
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
 
 - A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
-- Azure AD available for identity management.
-- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- Microsoft Entra available for identity management.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 
 For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
 
@@ -114,7 +114,7 @@ For Microsoft customers that don't have EA or MPSA, you can get Windows Enterpri
 - A supported version of Windows Pro Education installed on the devices to be upgraded.
 - A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
 - The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
-- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 
 > [!IMPORTANT]
 > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
@@ -130,7 +130,7 @@ To compare Windows 10 editions and review pricing, see the following sites:
 
 You can benefit by moving to Windows as an online service in the following ways:
 
-- Licenses for Windows Enterprise and Education are checked based on Azure AD credentials. You have a systematic way to assign licenses to end users and groups in your organization.
+- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. You have a systematic way to assign licenses to end users and groups in your organization.
 
 - User sign-in triggers a silent edition upgrade, with no reboot required.
 
@@ -145,13 +145,13 @@ You can benefit by moving to Windows as an online service in the following ways:
 > [!NOTE]
 > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
 
-The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
+The device is Microsoft Entra joined from **Settings** > **Accounts** > **Access work or school**.
 
 You assign Windows 10 Enterprise to a user:
 
 ![A screenshot of assigning a Windows 10 Enterprise license in the Microsoft 365 admin center.](images/ent.png)
 
-When a licensed user signs in to a device that meets requirements using their Azure AD credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
+When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
 
 > [!NOTE]
 > Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel.
@@ -176,7 +176,7 @@ All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a
 
 #### Scenario #2
 
-You're using Azure AD-joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Azure AD synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. You then assign that license to all of your Azure AD users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
+You're using Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Microsoft Entra synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Microsoft Entra ID. You then assign that license to all of your Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
 
 #### Earlier versions of Windows
 
@@ -196,7 +196,7 @@ The following policies apply to acquisition and renewal of licenses on devices:
 
 Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
 
-When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
+When you have the required Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
 
 ### Existing Enterprise deployments
 
@@ -213,13 +213,15 @@ If the computer has never been activated with a Pro key, use the following scrip
 $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
 ```
 
-### Obtaining an Azure AD license
+<a name='obtaining-an-azure-ad-license'></a>
+
+### Obtaining a Microsoft Entra ID license
 
 If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
 
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, you assign the licenses to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 
-- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps.
+- The license administrator can assign seats to Microsoft Entra users with the same process that's used for Microsoft 365 Apps.
 
 - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
 
@@ -239,11 +241,11 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
 
 Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
 
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 
 ## Related sites
 
-Connect domain-joined devices to Azure AD for Windows experiences. For more information, see [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
+Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
 
 [Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11)
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index 7bb3547dba..f9ce34d2ae 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -26,12 +26,12 @@ The overall device registration process is as follows:
 :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
 
 1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch.
-2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
+2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Microsoft Entra groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
 3. Windows Autopatch then:
     1. Performs device readiness prior registration (prerequisite checks).
     2. Calculates the deployment ring distribution.
     3. Assigns devices to one of the deployment rings based on the previous calculation.
-    4. Assigns devices to other Azure AD groups required for management.
+    4. Assigns devices to other Microsoft Entra groups required for management.
     5. Marks devices as active for management so it can apply its update deployment policies.
 4. IT admin then monitors the device registration trends and the update deployment reports.
 
@@ -46,13 +46,13 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
 | Step | Description |
 | ----- | ----- |
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
-| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
-| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group or from Azure AD groups used with Autopatch groups in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
-| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
+| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
+| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.<ol><li>Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
+| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Microsoft Entra device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
 | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
-| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Azure AD groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Azure AD groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
-| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>**Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all **virtual devices** managed by Windows Autopatch.</li></ol> |
-| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
+| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
+| **Step 7: Assign devices to a Microsoft Entra group** | Windows Autopatch also assigns devices to the following Microsoft Entra groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>**Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all **virtual devices** managed by Windows Autopatch.</li></ol> |
+| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
 | **Step 9: Review device registration status** | IT admins review the device registration status in both the **Registered** and **Not registered** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Registered** tab.</li><li>If **not**, the device shows up in the **Not registered** tab.</li></ol> |
 | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
 
@@ -69,7 +69,7 @@ During the tenant enrollment process, Windows Autopatch creates two different
 - [Service-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#service-based-deployment-rings)
 - [Software update-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#software-based-deployment-rings)  
 
-The following four Azure AD assigned groups are used to organize devices for the service-based deployment ring set:
+The following four Microsoft Entra ID assigned groups are used to organize devices for the service-based deployment ring set:
 
 | Service-based deployment ring | Description |
 | ----- | ----- |
@@ -78,7 +78,7 @@ The following four Azure AD assigned groups are used to organize devices for the
 | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
 | Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization |
 
-The five Azure AD assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition):
+The five Microsoft Entra ID assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition):
 
 | Software updates-based deployment ring | Description |
 | ----- | ----- |
@@ -158,7 +158,7 @@ If you want to move devices to different deployment rings (either service or sof
 If you don't see the Ring assigned by column change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
 
 > [!WARNING]
-> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
+> Moving devices between deployment rings through directly changing Microsoft Entra group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
 
 ## Automated deployment ring remediation functions
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index 18ff0f2a4a..93aeb12df6 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -19,7 +19,7 @@ ms.collection:
 
 Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey.
 
-Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
+Autopatch groups is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
 
 ## Autopatch groups prerequisites
 
@@ -36,7 +36,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 	- Windows Autopatch – DSS Policy [First]
 	- Windows Autopatch – DSS Policy [Fast]
 	- Windows Autopatch – DSS Policy [Broad]
-- Ensure the following Azure AD assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Azure AD group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
+- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
     - Modern Workplace Devices-Windows Autopatch-Test
     - Modern Workplace Devices-Windows Autopatch-First
     - Modern Workplace Devices-Windows Autopatch-Fast
@@ -46,14 +46,14 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
     - Windows Autopatch – Ring2
     - Windows Autopatch – Ring3
     - Windows Autopatch – Last
-- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups.
-	- For more information, see [assign an owner or member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Azure AD groups.
+- Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups.
+	- For more information, see [assign an owner or member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Microsoft Entra groups.
 - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
     - Read device attributes to successfully register devices.
     - Manage all configurations related to the operation of the service.
-- Make sure that all device-based Azure AD groups you intend to use with Autopatch groups are created prior to using the feature.
-    - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**.
-- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
+- Make sure that all device-based Microsoft Entra groups you intend to use with Autopatch groups are created prior to using the feature.
+    - Review your existing Microsoft Entra group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Microsoft Entra groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Microsoft Entra groups**.
+- Ensure devices used with your existing Microsoft Entra groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
 
 > [!TIP]
 > [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies).
@@ -73,12 +73,12 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**.
     1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created.
 1. In **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Custom Autopatch group.
-1. Each new deployment ring added must have either an Azure AD device group assigned to it, or an Azure AD group that is dynamically distributed across your deployments rings using defined percentages.
-    1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Azure AD groups to be used for Dynamic group distribution.
+1. Each new deployment ring added must have either a Microsoft Entra device group assigned to it, or a Microsoft Entra group that is dynamically distributed across your deployments rings using defined percentages.
+    1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Microsoft Entra groups to be used for Dynamic group distribution.
     1. In the **Dynamic group distribution** column, select the desired deployment ring checkbox. Then, either:
-        1. Enter the percentage of devices that should be added from the Azure AD groups selected in step 9. The percentage calculation for devices must equal to 100%, or
+        1. Enter the percentage of devices that should be added from the Microsoft Entra groups selected in step 9. The percentage calculation for devices must equal to 100%, or
         1. Select **Apply default dynamic group distribution** to use the default values.
-1. In the **Assigned group** column, select **Add group to ring** to add an existing Azure AD group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution.
+1. In the **Assigned group** column, select **Add group to ring** to add an existing Microsoft Entra group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution.
 1. Select **Next: Windows Update settings**.
 1. Select the **horizontal ellipses (…)** > **Manage deployment cadence** to [customize your gradual rollout of Windows quality and feature updates](../operate/windows-autopatch-windows-update.md). Select **Save**.
 1. Select the **horizontal ellipses (…)** > **Manage notifications** to customize the end-user experience when receiving Windows updates. Select **Save**.
@@ -86,10 +86,10 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Once the review is done, select **Create** to save your custom Autopatch group.
 
 > [!CAUTION]
-> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
+> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
 
 > [!IMPORTANT]
-> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
 
 ## Edit the Default or a Custom Autopatch group
 
@@ -107,7 +107,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Once the review is done, select **Save** to finish editing the Autopatch group.
 
 > [!IMPORTANT]
-> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
 
 ## Rename a Custom Autopatch group
 
@@ -119,7 +119,7 @@ You **can’t** rename the Default Autopatch group. However, you can rename a Cu
 1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then click **Rename group**.
 
 > [!IMPORTANT]
-> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Azure AD groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string.
+> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Microsoft Entra groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string.
 
 ## Delete a Custom Autopatch group
 
@@ -135,12 +135,12 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu
 
 ## Manage device conflict scenarios when using Autopatch groups
 
-Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups.
+Overlap in device membership is a common scenario when working with device-based Microsoft Entra groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Microsoft Entra groups.
 
-Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
+Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
 
 > [!CAUTION]
-> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
+> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
 
 ### Device conflict in deployment rings within an Autopatch group
 
@@ -172,11 +172,11 @@ Device conflict across different deployment rings in different Autopatch groups
 
 #### Device conflict prior to device registration
 
-When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Azure AD groups, used in Autopatch groups’ deployment rings, are registered with the service.
+When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups’ deployment rings, are registered with the service.
 
 | Conflict scenario | Conflict resolution |
 | -----  | ----- |
-| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Azure AD groups that are used with the Custom Autopatch groups don’t have device membership overlaps.</p> |
+| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don’t have device membership overlaps.</p> |
 
 #### Device conflict post device registration
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
index a706404138..b482faa489 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@@ -21,7 +21,7 @@ As organizations move to a managed-service model where Microsoft manages update
 
 ## What are Windows Autopatch groups?
 
-Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
+Autopatch groups is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
 
 ## Key benefits
 
@@ -29,9 +29,9 @@ Autopatch groups help Microsoft Cloud-Managed services meet organizations where
 
 | Benefit | Description |
 | ----- | ----- |
-| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. |
+| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Microsoft Entra group targeting logic. |
 | Having a flexible number of deployments | Autopatch groups give you the flexibility of having the right number of deployment rings that work within your organization. You can set up to 15 deployment rings per Autopatch group. |
-| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Azure AD groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. |
+| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Microsoft Entra groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. |
 | Choosing the deployment cadence | You choose the right software update deployment cadence for your business. |
 
 ## High-level architecture diagram overview
@@ -43,8 +43,8 @@ Autopatch groups is a function app that is part of the device registration micro
 | Step | Description |
 | ----- | ----- |
 | Step 1: Create an Autopatch group | Create an Autopatch group. |
-| Step 2: Windows Autopatch uses Microsoft Graph to create Azure AD and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:<ul><li>Azure AD groups</li><li>Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.</li></ul> |
-| Step 3: Intune assigns software update policies | Once Azure AD groups are created in the Azure AD service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. |
+| Step 2: Windows Autopatch uses Microsoft Graph to create Microsoft Entra ID and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:<ul><li>Microsoft Entra groups</li><li>Software update policy assignments with other Microsoft services, such as Microsoft Entra ID, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.</li></ul> |
+| Step 3: Intune assigns software update policies | Once Microsoft Entra groups are created in the Microsoft Entra service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. |
 | Step 4: Windows Update for Business responsibilities | Windows Update for Business (WUfB) is the service responsible for:<ul><li>Delivering those update policies</li><li>Retrieving update deployment statuses back from devices</li><li>Sending back the status information to Microsoft Intune, and then to the Windows Autopatch service</li></ul> |
 
 ## Key concepts
@@ -70,7 +70,7 @@ The Default Autopatch group **can’t** be deleted or renamed. However, you can
 
 #### Default deployment ring composition
 
-By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Azure AD assigned groups, are used:
+By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Microsoft Entra ID assigned groups, are used:
 
 - Windows Autopatch – Test
 - Windows Autopatch – Ring1
@@ -84,7 +84,7 @@ By default, the following [software update-based deployment rings](#software-bas
 > For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions.
 
 > [!CAUTION]
-> These and other Azure AD assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
+> These and other Microsoft Entra ID assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
 
 The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses.
 
@@ -96,7 +96,7 @@ The Default Autopatch group provides a default update deployment cadence for its
 
 Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) for each of its deployment rings in the Default Autopatch group. See the following default policy values:
 
-| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
+| Policy name | Microsoft Entra group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes |
 | Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes |
@@ -108,7 +108,7 @@ Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/
 
 Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values:
 
-| Policy name | Azure AD group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
+| Policy name | Microsoft Entra group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024; 1:00AM |
 | Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024; 1:00AM |
@@ -129,12 +129,12 @@ By default, a Custom Autopatch group has the Test and Last deployment rings auto
 
 Deployment rings make it possible for an Autopatch group to have software update deployments sequentially delivered in a gradual rollout within the Autopatch group.
 
-Windows Autopatch aligns with Azure AD and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups:
+Windows Autopatch aligns with Microsoft Entra ID and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups:
 
 | Deployment ring distribution | Description |
 | ----- | ----- |
-| Dynamic | You can use one or more device-based Azure AD groups, either dynamic query-based or assigned to use in your deployment ring composition.<p>Azure AD groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.</p> |
-| Assigned | You can use one single device-based Azure AD group, either dynamic query-based, or assigned to use in your deployment ring composition. |
+| Dynamic | You can use one or more device-based Microsoft Entra groups, either dynamic query-based or assigned to use in your deployment ring composition.<p>Microsoft Entra groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.</p> |
+| Assigned | You can use one single device-based Microsoft Entra group, either dynamic query-based, or assigned to use in your deployment ring composition. |
 | Combination of Dynamic and Assigned | To provide a greater level of flexibility when working on deployment ring compositions, you can combine both device distribution types in Autopatch groups.<p>The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.</p> |
 
 #### About the Test and Last deployment rings
@@ -147,7 +147,7 @@ If you only keep Test and Last deployment rings in your Default Autopatch group,
 > Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch.
 
 > [!TIP]
-> Both the **Test** and **Last** deployment rings only support one single Azure AD group assignment at a time. If you need to assign more than one Azure AD group, you can nest the other Azure AD groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Azure AD group nesting is supported.
+> Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported.
 
 #### Service-based versus software update-based deployment rings
 
@@ -160,7 +160,7 @@ Autopatch groups creates two different layers. Each layer contains its own deplo
 
 The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service.
 
-The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed:
+The following are the Microsoft Entra ID assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed:
 
 - Modern Workplace Devices-Windows Autopatch-Test
 - Modern Workplace Devices-Windows Autopatch-First
@@ -168,13 +168,13 @@ The following are the Azure AD assigned groups that represent the service-based
 - Modern Workplace Devices-Windows Autopatch-Broad
 
 > [!CAUTION]
-> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.</p>
+> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
 
 ##### Software-based deployment rings
 
 The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group.
 
-The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
+The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
 
 - Windows Autopatch - Test
 - Windows Autopatch – Ring1
@@ -183,14 +183,14 @@ The following are the Azure AD assigned groups that represent the software updat
 - Windows Autopatch – Last
 
 > [!IMPORTANT]
-> Additional Azure AD assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
+> Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
 
 > [!CAUTION]
-> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.</p>
+> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
 
 ### About device registration
 
-Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Azure AD groups instead of the Windows Autopatch Device Registration group provided by the service.
+Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Microsoft Entra groups instead of the Windows Autopatch Device Registration group provided by the service.
 
 ## Common ways to use Autopatch groups
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a2734bb584..4cb39e3d34 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -31,44 +31,48 @@ Windows Autopatch can take over software update management control of devices th
 
 ### Windows Autopatch groups device registration
 
-When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.  
+When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.  
 
-If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group.
+If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
 
 For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method.
 
-#### Supported scenarios when nesting other Azure AD groups
+<a name='supported-scenarios-when-nesting-other-azure-ad-groups'></a>
 
-Windows Autopatch also supports the following Azure AD nested group scenarios:
+#### Supported scenarios when nesting other Microsoft Entra groups
 
-Azure AD groups synced up from:
+Windows Autopatch also supports the following Microsoft Entra nested group scenarios:
+
+Microsoft Entra groups synced up from:
 
 - On-premises Active Directory groups (Windows Server AD)
 - [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync)
 
 > [!WARNING]
-> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
+> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Microsoft Entra group. Use a different Microsoft Entra group when syncing Configuration Manager collections to Microsoft Entra groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Microsoft Entra group.
 
 > [!IMPORTANT]
-> The **Windows Autopatch Device Registration** Azure AD group only supports **one level** of Azure AD nested groups.
+> The **Windows Autopatch Device Registration** Microsoft Entra group only supports **one level** of Microsoft Entra nested groups.
 
-### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
+<a name='clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant'></a>
 
-An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+### Clean up dual state of Microsoft Entra hybrid joined and Azure registered devices in your Microsoft Entra tenant
 
-In the dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
+An [Microsoft Entra dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Microsoft Entra ID as an [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Microsoft Entra hybrid join, the same device is connected twice to Microsoft Entra ID but as a [Hybrid Microsoft Entra device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
 
-It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices).
+In the dual state, you end up having two Microsoft Entra device records with different join types for the same device. In this case, the Hybrid Microsoft Entra device record takes precedence over the Microsoft Entra registered device record for any type of authentication in Microsoft Entra ID, which makes the Microsoft Entra registered device record stale.
+
+It's recommended to detect and clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, see [How To: Manage state devices in Microsoft Entra ID](/azure/active-directory/devices/manage-stale-devices).
 
 > [!WARNING]
-> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check  in the **Not ready** tab because it's expected that these stale Azure AD devices aren't enrolled into the Intune service anymore.
+> If you don't clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check  in the **Not ready** tab because it's expected that these stale Microsoft Entra devices aren't enrolled into the Intune service anymore.
 
 ## Prerequisites for device registration
 
 To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
 
 - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture).
-- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
+- Either [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Microsoft Entra joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
 - Managed by Microsoft Intune.
     - [Already enrolled into Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) and/or [Configuration Manager co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
         - Must switch the following Microsoft Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Intune (either set to Pilot Intune or Intune):
@@ -114,20 +118,20 @@ The following are the possible device readiness statuses in Windows Autopatch:
 
 A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
 
-- Azure AD Global Administrator
+- Microsoft Entra Global Administrator
 - Intune Service Administrator
 
-For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+For more information, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
 
-If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process:
+If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Microsoft Entra groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process:
 
-| Azure AD Group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
+| Microsoft Entra group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
 | ----- | ----- | ----- | ----- | ----- | ----- |
 | Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes |
 | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No |
 
 > [!TIP]
-> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.<p>For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).</p>
+> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Microsoft Entra group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Microsoft Entra group. Owners of the **Windows Autopatch Device Registration** Microsoft Entra group can add new devices as members of the group for registration purposes.<p>For more information, see [assign an owner of member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).</p>
 
 ## Details about the device registration process
 
@@ -206,7 +210,7 @@ There's a few more device management lifecycle scenarios to consider when planni
 
 If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device.
 
-The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same.
+The device will be rejoined to Microsoft Entra ID (either Hybrid or Microsoft Entra-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Microsoft Entra device ID record of that device remains the same.
 
 ### Device repair and hardware replacement
 
@@ -216,7 +220,7 @@ If you need to repair a device that was previously registered into the Windows A
 - MAC address (non-removable NICs)
 - OS hard drive's serial, model, manufacturer information
 
-When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
+When one of these hardware changes occurs, Microsoft Entra ID creates a new device ID record for that device, even if it's technically the same device.
 
 > [!IMPORTANT]
-> If a new Azure AD device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** Azure AD group. This process guarantees that the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.
+> If a new Microsoft Entra device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Microsoft Entra device ID must be added either through device direct membership or through nested Microsoft Entra dynamic/assigned group into the **Windows Autopatch Device Registration** Microsoft Entra group. This process guarantees that the newly generated Microsoft Entra device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png
index f77684b8c4..2098b9cd0c 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png
index abd0c884b1..d59d22d90c 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png
index 1be4b61b37..2c476a2e64 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png
index c6abcd6790..75dc395038 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png
index d340ccdecd..9e01c36d3b 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
index 0f80250e80..563e6370c5 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -54,7 +54,7 @@ Alert resolutions are provided through the Windows Update service and provide th
 | `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.<p>It's recommended to work with the end user to allow updates to execute as scheduled.</p> |
 | `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt. <p>It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).</p> |
 | `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.<p>For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
-| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Azure AD Device ID. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
+| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.<p>Check that the MSA Service is running or able to run on device.</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
index c41dd12e0c..843b7e8d3c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
@@ -16,12 +16,12 @@ ms.collection:
 
 # Exclude a device
 
-To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
+To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Microsoft Entra device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
 
-When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups.
+When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Microsoft Entra group, used with Autopatch groups.
 
 > [!IMPORTANT]
-> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
+> The Microsoft Entra team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
 
 **To exclude a device:**
 
@@ -32,7 +32,7 @@ When you exclude a device from the Windows Autopatch service, the device is flag
 1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**.
 
 > [!WARNING]
-> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
+> Excluding devices from the Windows Autopatch Device Registration group, or any other Microsoft Entra group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
 
 ## Only view excluded devices
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
index 12e39f7f30..66164cc373 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
@@ -34,7 +34,7 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
 
 Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey.  
 
-Autopatch groups is a logical container that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together.
+Autopatch groups is a logical container that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together.
 
 For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md).
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
index f2522d91fa..8ffc66a28a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@@ -64,7 +64,7 @@ Windows Autopatch’s default Windows feature update release is a service-driven
 > [!TIP]
 > Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release).
 
-When devices are registered by manually adding them to the Windows Autopatch Device Registration Azure AD assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
+When devices are registered by manually adding them to the Windows Autopatch Device Registration Microsoft Entra ID assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
 
 The policies:
 
@@ -98,7 +98,7 @@ There are two scenarios that the Global release is used:
 
 | Scenario | Description |
 | ----- | ----- |
-| Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).<p>A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.</p> |
+| Scenario #1 | You assign Microsoft Entra groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).<p>A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.</p> |
 | Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).<p>The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.</p> |
 
 > [!NOTE]
@@ -142,7 +142,7 @@ Feature update policies work with Windows Update rings policies. Windows Update
 
 The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases:
 
-| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
+| Policy name | Microsoft Entra group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes |
 | Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
index da80289277..8fe50bb86f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@@ -48,7 +48,7 @@ The following information is available as optional columns in the Feature update
 
 | Column name | Description |
 | ----- | ----- |
-| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device |
+| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device |
 | Serial number | The current Intune recorded serial number for the device |
 | Intune last check in time | The last time the device checked in to Intune |
 | Service State | The Service State provided from Windows Update |
@@ -73,7 +73,7 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Search | Use to search by device name, Azure AD device ID or serial number |
+| Search | Use to search by device name, Microsoft Entra device ID or serial number |
 | Sort | Select the **column headings** to sort the report data in ascending and descending order. |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Add filters** or at the top of the report to filter the results. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
index 37d261d766..6f8527fdc9 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature update summary dashboard
 description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 07/25/2023
+ms.date: 10/11/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -17,19 +17,19 @@ ms.collection:
 
 # Windows feature update summary dashboard
 
-The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
+The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
 
-The first part of the summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
+The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
 
-**To view a generated summary dashboard for your Windows feature update deployments:**
+**To view a generated Summary dashboard for your Windows feature update deployments:**
 
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Reports** from the left navigation menu.
-1. Under the **Windows Autopatch** section, select **Windows feature updates (preview)**.
+1. Under the **Windows Autopatch** section, select **Windows feature updates**.
 
 ## Report information
 
-The following information is available in the summary dashboard:
+The following information is available in the Summary dashboard:
 
 | Column name | Description |
 | ----- | ----- |
@@ -48,5 +48,5 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
+| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process ensures that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
 | Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
index 703ee03554..af916925f0 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@@ -51,7 +51,7 @@ The following information is available as optional columns in the Quality update
 
 | Column name | Description |
 | ----- | ----- |
-| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device |
+| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device |
 | Serial number | The current Intune recorded serial number for the device |
 | Intune last check in time | The last time the device checked in to Intune |
 | Service State | The Service State provided from Windows Update |
@@ -75,7 +75,7 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Search | Use to search by device name, Azure AD device ID or serial number |
+| Search | Use to search by device name, Microsoft Entra device ID or serial number |
 | Sort | Select the **column headings** to sort the report data in ascending and descending order. |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Add filters** or at the top of the report to filter the results. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
index 154e93fb08..e744f0c407 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality update summary dashboard
 description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
-ms.date: 07/25/2023
+ms.date: 10/04/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -17,7 +17,7 @@ ms.collection:
 
 # Windows quality update summary dashboard
 
-The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
 
 **To view the current update status for all your enrolled devices:**
 
@@ -29,7 +29,7 @@ The summary dashboard provides a summary view of the current update status for a
 
 ## Report information
 
-The following information is available in the summary dashboard:
+The following information is available in the Summary dashboard:
 
 | Column name | Description |
 | ----- | ----- |
@@ -47,5 +47,5 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
+| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process ensures that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
 | Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index cab93e35da..3b72dc6d90 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -23,13 +23,13 @@ After you've completed enrollment in Windows Autopatch, some management settings
 1. If any of the items apply to your environment, make the adjustments as described.
 
 > [!NOTE]
-> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
+> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
 
 ## Microsoft Intune settings
 
 | Setting | Description |
 | ----- | ----- |
-| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li> <li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
+| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Microsoft Entra group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Microsoft Entra group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group.</li> <li>If you have assigned Microsoft Entra user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Microsoft Entra group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
 
 ## Windows Autopatch configurations
 
@@ -56,7 +56,7 @@ The type of banner that appears depends on the severity of the action. Currently
 
 | Action type | Severity | Description |
 | ----- | ----- | ----- |
-| Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Azure Active Directory Premium</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
+| Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Microsoft Entra ID P1 or P2</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
 | Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can’t manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
 
 ### Inactive status
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 06e2e12c09..3120c809f3 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft 365 Apps for enterprise
 description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
-ms.date: 06/23/2023 
+ms.date: 10/27/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -81,7 +81,15 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro
 
 ## Allow or block Microsoft 365 App updates
 
-For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
+> [!IMPORTANT]
+> You must be an Intune Administrator to make changes to the setting.
+
+For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices.
+
+| Microsoft 365 App setting | Description |
+| ----- | ----- |
+| **Allow** | When set to **Allow**, Windows Autopatch moves all Autopatch managed devices to the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to **Block**. |
+| **Block** | When set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). |
 
 **To allow or block Microsoft 365 App updates:**
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index ecc8f356a9..2c89d2a8ce 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
 Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:  
 
 - Remove Windows Autopatch access to your tenant.
-- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
+- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Microsoft Entra ID or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
 - Delete all data that we've stored in the Windows Autopatch data storage.
 
 > [!NOTE]
@@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
 | Responsibility | Description |
 | ----- | ----- |
 | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
-| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
+| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Microsoft Entra device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
 
 ## Your responsibilities after unenrolling your tenant
 
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
index fb1b851773..7fc5bce674 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
@@ -66,7 +66,7 @@ The following deployment steps can be used as a guide to help you to create your
 | ----- | ----- |
 | **1A: Set up the service** | <ul><li>Prepare your environment, review existing update policies and [General Considerations](#general-considerations)</li><li>Review and understand [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service</li><li>Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</li><li>Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) completed successfully</li></ul> |
 | **1B: Confirm update service needs and configure your workloads** | <ul><li>[Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md): Expedite preferences and cadence customizations</li><li>[Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md): Servicing version preferences</li><li>[Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md): Set to either Manual or Automatic</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md): Set to either Monthly Enterprise Channel or opt-out</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md): Required. Beta and Stable Channel</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md): Required. Automatic</li></ul> |
-| **1C: Consider your Autopatch groups distribution** | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) with additional deployment rings and/or [create your own Custom Autopatch group(s)](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).<br><br><ul><li> Review your device inventory and consider a representative mix of devices across your distribution</li><li>Review your Azure AD groups that you wish to use to register devices into the service</li><li>Review [device registration options](../deploy/windows-autopatch-device-registration-overview.md) and [register your first devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
+| **1C: Consider your Autopatch groups distribution** | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) with additional deployment rings and/or [create your own Custom Autopatch group(s)](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).<br><br><ul><li> Review your device inventory and consider a representative mix of devices across your distribution</li><li>Review your Microsoft Entra groups that you wish to use to register devices into the service</li><li>Review [device registration options](../deploy/windows-autopatch-device-registration-overview.md) and [register your first devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
 | **1D: Review network optimization** | It's important to [prepare your network](../prepare/windows-autopatch-configure-network.md) to ensure that your devices have access to updates in the most efficient way, without impacting your infrastructure.<br><br>A recommended approach to manage bandwidth consumption is to utilize [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages amongst multiple devices in your deployment. |
 
 ### Step two: Evaluate
@@ -121,7 +121,7 @@ Once migrated, there are several configuration tasks that you no longer need to
 | Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership |
 | Maintain minimum Windows feature version and progressively move between servicing versions | Spend time developing, testing and rolling-out task sequence | Set up and deploy Windows feature update policies |
 | Service provides release management, signal monitoring, testing, and Windows Update deployment | Setup, target and monitor update test collections | Manage Test deployment rings and manually monitor update signals |
-| Simple, integrated process to turn on the service as part of the Windows 365 provisioning policy | Manually target Cloud PCs in device collections | Manually target Cloud PCs in Azure AD groups |
+| Simple, integrated process to turn on the service as part of the Windows 365 provisioning policy | Manually target Cloud PCs in device collections | Manually target Cloud PCs in Microsoft Entra groups |
 
 In addition to the reports, other benefits include:
 
@@ -179,7 +179,7 @@ When you migrate from Configuration Manager to Windows Autopatch, the fastest pa
 | **1** | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch.<br><br>If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) |
 | **2** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:<ul><li>Windows Update policies workload</li><li>Device configuration workload</li><li>Office Click-to-Run apps workload</li></ul><br>If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) |
 | **3** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) |
-| **4** | Ensure Configuration Manager collections or Azure AD device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Azure AD device groups, or Configuration Manager collections. Ensure you have either Azure AD device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). |  
+| **4** | Ensure Configuration Manager collections or Microsoft Entra device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Microsoft Entra device groups, or Configuration Manager collections. Ensure you have either Microsoft Entra device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). |  
 
 ### Optimized deployment path: Configuration Manager to Windows Autopatch
 
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 66e6fd2e1d..54d107d92d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -31,10 +31,10 @@ sections:
           Autopatch isn't available for 'A' or 'F' series licensing.
       - question: Will Windows Autopatch support local domain join Windows 10?
         answer: | 
-          Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+          Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
       - question: Will Windows Autopatch be available for state and local government customers?
         answer: |
-          Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported.
+          Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported.
       - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service?
         answer: |
           Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch.
@@ -111,7 +111,7 @@ sections:
           No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-windows-quality-update-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
       - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership?
         answer: |
-          Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
+          Windows Autopatch doesn't support managing update deployment ring membership using your Microsoft Entra groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
       - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring?
         answer: |
           The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) would roll out more rapidly.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 0ce2010fe7..043db6fb77 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -23,13 +23,13 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep e
 
 Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.
 
-The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.
+The sources include Microsoft Entra ID, Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.
 
 | Data source | Purpose |
 | ------ | ------ |
 | [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |
 | [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
-| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:<br><ul><li>[Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:<br><ul><li>[Microsoft Entra ID](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
 | [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. |
 | [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
 
@@ -90,9 +90,11 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func
 
 Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
 
-## Microsoft Azure Active Directory
+<a name='microsoft-azure-active-directory'></a>
 
-Identifying data used by Windows Autopatch is stored by Azure Active Directory (AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
+## Microsoft Entra ID
+
+Identifying data used by Windows Autopatch is stored by Microsoft Entra ID in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Microsoft Entra data is located, see [Microsoft Entra ID - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
 
 ## Microsoft Intune
 
@@ -136,7 +138,7 @@ For DSRs from other products related to the service, see the following articles:
 
 - [Windows diagnostic data](/compliance/regulatory/gdpr-dsr-windows)
 - [Microsoft Intune data](/compliance/regulatory/gdpr-dsr-intune)
-- [Azure Active Directory data](/compliance/regulatory/gdpr-dsr-azure)
+- [Microsoft Entra data](/compliance/regulatory/gdpr-dsr-azure)
 
 ## Legal
 
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 76fb999285..c7695ea433 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -44,7 +44,7 @@ There are URLs from several Microsoft products that must be in the allowed list
 | ----- | ----- |
 | Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)<p><p>[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)</p><p>[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)</p><p>[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)</p>|
 | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) |
-| Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
+| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
 | Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p>
 | Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) |
 | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 3a6e0a1197..95f0ed85fc 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -33,7 +33,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
 > [!IMPORTANT]
 > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the  tool again.
 
-The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Microsoft Entra ID](#azure-active-directory-settings) (Microsoft Entra ID) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
 
 **To access and run the Readiness assessment tool:**
 
@@ -56,9 +56,11 @@ The following are the Microsoft Intune settings:
 | ----- | ----- |
 | Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
 
-### Azure Active Directory settings
+<a name='azure-active-directory-settings'></a>
 
-The following are the Azure Active Directory settings:
+### Microsoft Entra settings
+
+The following are the Microsoft Entra settings:
 
 | Check | Description |
 | ----- | ----- |
@@ -74,7 +76,7 @@ For each check, the tool reports one of four possible results:
 | Ready | No action is required before completing enrollment. |
 | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
 | Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them.  |
-| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
+| Error | The Microsoft Entra role you're using doesn't have sufficient permissions to run this check. |
 
 ## Step 3: Fix issues with your tenant
 
@@ -104,7 +106,7 @@ Once these actions are complete, you've now successfully enrolled your tenant.
 
 You can choose to delete the data we collect directly within the Readiness assessment tool.
 
-Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a deidentified form.
+Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Microsoft Entra organization (tenant). After 12 months, we retain the data in a deidentified form.
 
 > [!NOTE]
 > Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 39f30591e9..8acdf328e5 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -31,10 +31,10 @@ For each check, the tool reports one of four possible results:
 | Ready | No action is required before completing enrollment. |
 | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
 | Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them.  |
-| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
+| Error | The Microsoft Entra role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
 
 > [!NOTE]
-> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
+> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
 
 ## Microsoft Intune settings
 
@@ -48,9 +48,11 @@ Your "Update rings for Windows 10 or later" policy in Intune must not target any
 | ----- | ----- |
 | Advisory |  You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch creates our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.</p>|
 
-## Azure Active Directory settings
+<a name='azure-active-directory-settings'></a>
 
-You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/).
+## Microsoft Entra settings
+
+You can access Microsoft Entra settings in the [Azure portal](https://portal.azure.com/).
 
 ### Co-management
 
@@ -66,4 +68,4 @@ Windows Autopatch requires the following licenses:
 
 | Result | Meaning |
 | ----- | ----- |
-| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
+| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 90e7324a39..b0df16842e 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -21,9 +21,9 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
 
 | Area | Prerequisite details |
 | ----- | ----- |
-| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
+| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
 | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
-| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
+| Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.<br><ul><li>For more information, see [Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Microsoft Entra hybrid join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Microsoft Entra Connect versions, see [Microsoft Entra Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
 | Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.<p>For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).</p> |
 | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). |
 
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index f0c9059f9c..30030ec7cc 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -34,13 +34,15 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 
 ### Service principal
 
-Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
+Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
 
 - Modern Workplace Customer APIs
 
-## Azure Active Directory groups
+<a name='azure-active-directory-groups'></a>
 
-Windows Autopatch will create the required Azure Active Directory groups to operate the service.
+## Microsoft Entra groups
+
+Windows Autopatch will create the required Microsoft Entra groups to operate the service.
 
 The following groups target Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
 
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
index 00eb8bc49b..21d90312fd 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
@@ -26,4 +26,4 @@ Capitalized terms used but not defined herein have the meanings given in the Pro
 
 ## Data Handling
 
-Driver and Firmware Updates Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Driver and Firmware Updates Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Driver and Firmware Updates Preview apply to that data.
+Driver and Firmware Updates Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Microsoft Entra ID, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Driver and Firmware Updates Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Driver and Firmware Updates Preview apply to that data.
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index e9e8b08de8..24650e3a33 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 09/11/2023 
+ms.date: 10/27/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -21,6 +21,20 @@ This article lists new and updated feature releases, and service releases, with
 
 Minor corrections such as typos, style, or formatting issues aren't listed.
 
+## October 2023
+
+### October feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) | Added more information about the Allow setting in the [Microsoft 365 Apps for enterprise update controls](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) section |
+
+## October service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC680344](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service Improvements |
+
 ## September 2023
 
 ### September feature releases or updates
@@ -33,6 +47,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Message center post number | Description |
 | ----- | ----- |
+| [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update |
+| [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center |
 | [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
 | [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
 
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index b8fb1254fb..211570e4b0 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -1,67 +1,3 @@
-items:
-  - name: Docs
-    tocHref: /
-    topicHref: /
-    items:
-      - name: Windows
-        tocHref: /windows/
-        topicHref: /windows/resources/
-        items:
-          - name: What's new
-            tocHref: /windows/whats-new/
-            topicHref: /windows/whats-new/
-          - name: Configuration
-            tocHref: /windows/configuration/
-            topicHref: /windows/configuration/
-          - name: Deployment
-            tocHref: /windows/deployment/
-            topicHref: /windows/deployment/
-            items:
-              - name: Delivery Optimization
-                tocHref: /windows/deployment/do/
-                topicHref: /windows/deployment/do/
-          - name: Application management
-            tocHref: /windows/application-management/
-            topicHref: /windows/application-management/
-          - name: Client management
-            tocHref: /windows/client-management/
-            topicHref: /windows/client-management/
-            items:
-              - name: CSP reference
-                tocHref: /windows/client-management/mdm/
-                topicHref: /windows/client-management/mdm/
-          - name: Privacy
-            tocHref: /windows/privacy/
-            topicHref: /windows/privacy/
-          - name: Security
-            tocHref: /windows/security/
-            topicHref: /windows/security/
-            items:
-              - name: Hardware security
-                tocHref: /windows/security/hardware-security/
-                topicHref: /windows/security/hardware-security/
-              - name: Operating system security
-                tocHref: /windows/security/operating-system-security/
-                topicHref: /windows/security/operating-system-security/
-              - name: Identity protection
-                tocHref: /windows/security/identity-protection/
-                topicHref: /windows/security/identity-protection/
-              - name: Application security
-                tocHref: /windows/security/application-security/
-                topicHref: /windows/security/application-security/
-                items:
-                  - name: Application Control for Windows
-                    tocHref: /windows/security/application-security/application-control/windows-defender-application-control/
-                    topicHref: /windows/security/application-security/application-control/windows-defender-application-control/
-                  - name: Microsoft Defender Application Guard
-                    tocHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/
-                    topicHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
-              - name: Security foundations
-                tocHref: /windows/security/security-foundations/
-                topicHref: /windows/security/security-foundations/
-              - name: Security auditing
-                tocHref: /windows/security/threat-protection/auditing/
-                topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
-              - name: Security policy settings
-                tocHref: /windows/security/threat-protection/security-policy-settings/
-                topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
\ No newline at end of file
+- name: Windows
+  tocHref: /windows/
+  topicHref: /windows/index
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index b341fb250c..83dda7c0fe 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -15,7 +15,7 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 06/20/2023
+  ms.date: 09/26/2023
 
 highlightedContent:
   items:
@@ -34,15 +34,19 @@ highlightedContent:
   - title: Windows commercial licensing
     itemType: overview
     url: /windows/whats-new/windows-licensing
+  - title: Copilot in Windows
+    itemType: how-to-guide
+    url: /windows/client-management/manage-windows-copilot
   - title: Windows 365 documentation
     itemType: overview
     url: /windows-365
   - title: Explore all Windows trainings and learning paths for IT pros
     itemType: learn
     url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
-  - title: Enroll Windows client devices in Microsoft Intune
-    itemType: how-to-guide
-    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
+
+#  - title: Enroll Windows client devices in Microsoft Intune
+#    itemType: how-to-guide
+#    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
 
 productDirectory:
   title: Get started
@@ -69,10 +73,10 @@ productDirectory:
       links:
         - url: /windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
           text: Windows security baselines
-        - url: /windows/security/identity-protection/credential-guard/credential-guard-how-it-works
-          text: Credential Guard
-        - url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust
-          text: Windows Hello for Business cloud Kerberos trust
+        - url: /windows/security/identity-protection/hello-for-business
+          text: Windows Hello for Business
+        - url: /windows/security/identity-protection/web-sign-in
+          text: Web sign-in for Windows
         - url: /windows/security/threat-protection/windows-defender-application-control
           text: Windows Defender Application Control (WDAC)
         - url: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
@@ -105,8 +109,8 @@ productDirectory:
           text: Configuration Service Provider (CSP)
         - url: /windows/client-management/administrative-tools-in-windows-10
           text: Windows administrative tools
-        - url: /windows/client-management/client-tools/quick-assist
-          text: Use Quick Assist to help users
+        - url: /windows/client-management/manage-windows-copilot
+          text: Manage Copilot in Windows
         - url: /windows/application-management/index
           text: Learn more about application management >
         - url: /windows/client-management
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 8c7588deb0..3d03e6bc7b 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -7,7 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.topic: reference
 ---
 
@@ -1749,6 +1749,30 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -2148,7 +2172,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -2156,7 +2180,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsDomainJoined**  Indicates whether a machine is joined to a domain.
@@ -2164,7 +2188,7 @@ The following fields are available:
 - **IsMDMEnrolled**  Whether the device has been MDM Enrolled or not.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
@@ -2586,6 +2610,17 @@ The following fields are available:
 
 ## Code Integrity events
 
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.AutoEnablementIsBlocked
+
+Indicates if OEM attempted to block autoenablement via regkey.
+
+The following fields are available:
+
+- **BlockHvciAutoenablement**  True if auto-enablement was successfully blocked, false otherwise.
+- **BlockRequested**  Whether an autoenablement block was requested.
+- **Scenario**  Used to differentiate VBS and HVCI paths.
+
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Compatibility
 
 Fires when the compatibility check completes. Gives the results from the check.
@@ -2596,6 +2631,18 @@ The following fields are available:
 - **Issues**  If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement).
 
 
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
+
+Fires when auto-enablement is successful and HVCI is being enabled on the device.
+
+The following fields are available:
+
+- **Error**  Error code if there was an issue during enablement
+- **Scenario**  Indicates whether enablement was for VBS vs HVCI
+- **SuccessfullyEnabled**  Indicates whether enablement was successful
+- **Upgrade**  Indicates whether the event was fired during upgrade (rather than clean install)
+
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity
 
 Fires at the beginning and end of the HVCI auto-enablement process in sysprep.
@@ -3368,7 +3415,7 @@ The following fields are available:
 - **ClientID**  Client ID being run.
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
-- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the AAD (Azure Active Directory) domain.
+- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the Microsoft Entra domain.
 - **IsDeviceADDomainJoined**  Indicates whether the device is logged in to the AD (Active Directory) domain.
 - **IsDeviceCloverTrail**  Indicates whether the device has a Clover Trail system installed.
 - **IsDeviceFeatureUpdatingPaused**  Indicates whether Feature Update is paused on the device.
@@ -5756,6 +5803,44 @@ The following fields are available:
 - **totalRuns**  Total number of running/evaluation from last time.
 
 
+## Other events
+
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **HeartbeatType**  Enum of the reason the heartbeat is collected
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender)
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
+
+### Microsoft.Windows.SecureBootTelemetry.SecureBootEncodeUEFI
+
+Information about Secure Boot configuration including the PK, KEKs, DB and DBX files on the device.
+
+The following fields are available:
+
+- **SecureBootUEFIEncoding**  Information about the PK, KEKs, DB and DBX files on the device.
+
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -6633,7 +6718,7 @@ The following fields are available:
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
@@ -6757,7 +6842,7 @@ The following fields are available:
 - **CallerApplicationName**  The name provided by the application that initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Indicates whether the download was a full- or a partial-file download.
 - **CbsMethod**  The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior.
@@ -9667,10 +9752,10 @@ The following fields are available:
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  Counts the events at the global level for telemetry.
 - **PackageVersion**  The package version for currency tools.
-- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is AAD joined.
+- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceInDssPolicy**  Boolean indicating whether the device is found to be in a DSS policy.
 - **UnifiedInstallerDeviceInDssPolicyHresult**  The result code for checking whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is AADJ.
+- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceIsAdJoined**  Boolean indicating whether a device is AD joined.
 - **UnifiedInstallerDeviceIsAdJoinedHresult**  The result code for checking whether a device is AD joined.
 - **UnifiedInstallerDeviceIsEducationSku**  Boolean indicating whether a device is Education SKU.
@@ -9752,7 +9837,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
 
-This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure.
+This event is sent when the device is not Microsoft Entra joined. The data collected with this event is used to help keep Windows up to date and secure.
 
 The following fields are available:
 
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 44e5b9392e..35522da4b4 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -57,7 +57,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",        
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
       "searchScope": ["Windows 10"]
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 9407853770..c487f33918 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1933,7 +1933,7 @@ To turn off these recommendations, you can use any of the following methods:
 - In Group Policy, set the "Remove Recommended from Start Menu" policy to Enabled under **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
 - In an MDM solution, such as Microsoft Intune, you can use the [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP).
 - In the registry, you can set **HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs** to 0.
-- In the UI, you can turn off **Show recommendations for tips, shortcuts, new apps, and more** under **Settings** > **Personalization** > **Start**.
+- In the UI, you can turn off **Show recently opened items in Start, Jump Lists, and File Explorer** under **Settings** > **Personalization** > **Start**.
 
 ### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
 
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index ae9fabcf1a..79bba0d70f 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 06/23/2023
+ms.date: 10/06/2023
 ms.topic: reference
 ---
 
@@ -34,7 +34,7 @@ The following methodology was used to derive these network endpoints:
 2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory.
+5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Microsoft Entra ID.
 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -54,6 +54,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
 |Certificates|||[Learn how to turn off traffic to all of the following endpoint(s) for certificates.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 ||Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. |TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|||HTTP|ocsp.digicert.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s) for Cortana and Live Tiles.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
 |||HTTPS|business.bing.com|
@@ -66,11 +67,20 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|dual-s-ring.msedge.net|
 |||HTTP|creativecdn.com|
 |||HTTP|edgeassetservice.azureedge.net|
+|||HTTP|r.bing.com|
+|||HTTPS|a-ring-fallback.msedge.net|
+|||HTTPS|fp-afd-nocache-ccp.azureedge.net|
+|||TLSv1.2|prod-azurecdn-akamai-iris.azureedge.net|
+|||TLSv1.2|widgetcdn.azureedge.net|
+|||TLSv1.2|widgetservice.azurefd.net|
 |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s) for device authentication.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*|
 |Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s) for device metadata.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
 ||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
 |Diagnostic Data| ||[Learn how to turn off traffic to all of the following endpoint(s) for diagnostic data.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2|functional.events.data.microsoft.com|
+|||HTTP|browser.events.data.msn.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
 ||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|self.events.data.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
@@ -89,6 +99,13 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTPS|weathermapdata.blob.core.windows.net|
 |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft account.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
 ||The following endpoint is used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS/HTTP|login.live.com|
+|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|||TLSv1.2/HTTP|ping-edge.smartscreen.microsoft.com|
+|||HTTP|data-edge.smartscreen.microsoft.com|
+|||TLSv1.2|nav-edge.smartscreen.microsoft.com|
 |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Edge.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
 |||TLSv1.2/HTTP|edge.microsoft.com|
 |||TLSv1.2/HTTP|windows.msn.com|
@@ -106,14 +123,13 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|share.microsoft.com|
 ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
 |Microsoft To Do|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft To Do.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
-|||HTTP|staging.to-do.microsoft.com|
+||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.microsoft.com|
 |||TLSv1.2/HTTP|to-do.microsoft.com|
 |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s) for Network Connection Status Indicator (NCSI).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
 ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the internet, and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
 |||HTTP|ipv6.msftconnecttest.com|
 |Office|||[Learn how to turn off traffic to all of the following endpoint(s) for Office.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
+||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
 |||HTTPS|blobs.officehome.msocdn.com|
 |||HTTPS|officehomeblobs.blob.core.windows.net|
 |||HTTPS|self.events.data.microsoft.com|
@@ -121,6 +137,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|officeclient.microsoft.com|
 |||HTTP|ecs.nel.measure.office.net|
 |||HTTPS/HTTP|telecommandstorageprod.blob.core.windows.net|
+|||TLSv1.2|odc.officeapps.live.com|
 |OneDrive|||[Learn how to turn off traffic to all of the following endpoint(s) for OneDrive.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
 ||The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|TLSv1.2/HTTPS/HTTP|g.live.com|
 |||HTTP|onedrive.live.com|
@@ -136,10 +153,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 ||The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
 |||HTTP|teams.live.com|
 |||TLSv1.2/HTTP|teams.events.data.microsoft.com|
-|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
-||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|HTTPS/TLSv1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
-|||HTTPS/HTTP|checkappexec.microsoft.com|
+|||HTTP|statics.teams.cdn.live.net|
 |Windows Spotlight|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
 ||The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. |TLSv1.2/HTTPS/HTTP|arc.msn.com|
 |||HTTPS|ris.api.iris.microsoft.com|
@@ -150,7 +164,9 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|srtb.msn.com|
 |||TLSv1.2/HTTP|www.msn.com|
 |||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
+|||TLSv1.2|staticview.msn.com|
 |Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2|definitionupdates.microsoft.com|
 ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
 |||HTTP|emdl.ws.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
@@ -160,9 +176,10 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
 ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoint is used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
+||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
+|||TLSv1.2|da.xboxservices.com|
 
 ## Related links
 
 - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
+- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 02a50f6187..6ec3eb3ad7 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -8,7 +8,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.topic: reference
 ---
 
@@ -757,6 +757,30 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version.
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -967,7 +991,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -975,7 +999,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsEDPEnabled**  Represents if Enterprise data protected on the device.
@@ -2126,7 +2150,7 @@ The following fields are available:
 - **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
-- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
 - **appPingEventDownloadMetricsDownloader**  A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@@ -2253,6 +2277,31 @@ The following fields are available:
 - **windowInstanceId**  Unique value for each window instance.
 
 
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender.
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender).
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -2281,6 +2330,29 @@ The following fields are available:
 - **TargetPath**  (Optional) If the operation is a move, the target path to which the file or directory is being moved.
 
 
+### Microsoft.Windows.Setup.WinSetupMon.TraceError
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver.
+
+The following fields are available:
+
+- **Message**  Text string describing the error condition.
+- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **Status**  	NTSTATUS code related to the error.
+
+
+### Microsoft.Windows.Setup.WinSetupMon.TraceErrorVolume
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver, related to a specific volume (drive).
+
+The following fields are available:
+
+- **Message**  Text string describing the error condition.
+- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **Status**  NTSTATUS code related to the error.
+- **Volume**  Path of the volume on which the error occurs
+
+
 ### SetupPlatformTel.SetupPlatformTelEvent
 
 This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date.
@@ -3374,6 +3446,26 @@ The following fields are available:
 - **updateId**  Unique identifier for each update.
 
 
+### Microsoft.Windows.Update.Orchestrator.ScheduledScanBeforeInitialLogon
+
+Indicates that a scan before an initial logon is being scheduled
+
+The following fields are available:
+
+- **deferDurationInMinutes**  The delay in minutes until the scan for updates is performed.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
+
+
 ### Microsoft.Windows.Update.SIHClient.TaskRunCompleted
 
 This event is a launch event for Server Initiated Healing client.
@@ -3430,6 +3522,23 @@ The following fields are available:
 - **UusVersion**  The version of the Update Undocked Stack.
 
 
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityGeneral
+
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack
+
+The following fields are available:
+
+- **CallerName**  Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EndpointUrl**  Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **RawMode**  Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **SLSPrograms**  A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult)
+- **UusVersion**  The version of the Update Undocked Stack
+
+
 ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
 
 This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -3482,7 +3591,4 @@ The following fields are available:
 - **ScenarioSupported**  Whether the updated scenario that was passed in was supported.
 - **SessionId**  The UpdateAgent “SessionId” value.
 - **UpdateId**  Unique identifier for the Update.
-- **WuId**  Unique identifier for the Windows Update client.
-
-
-
+- **WuId**  Unique identifier for the Windows Update client.
\ No newline at end of file
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 439810cc47..5a65ea94c0 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -7,7 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.collection: highpri
 ms.topic: reference
 ---
@@ -37,7 +37,6 @@ You can learn more about Windows functional and diagnostic data through these ar
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
-
 ## AppPlatform events
 
 ### AppPlatform.InstallActivity
@@ -157,7 +156,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser binary generating the events.
+- **AppraiserVersion** The version of the appraiser binary generating the events.
 - **SdbEntries**  Indicates if any matching compat Sdb entries are associated with this application
 
 
@@ -1182,6 +1181,19 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -1462,7 +1474,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -1470,7 +1482,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsEDPEnabled**  Represents if Enterprise data protected on the device.
@@ -1478,7 +1490,7 @@ The following fields are available:
 - **MDMServiceProvider**  A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
@@ -1941,6 +1953,7 @@ The following fields are available:
 
 - **wilActivity**  Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
 
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciAlreadyEnabled
 
 Fires when HVCI is already enabled so no need to continue auto-enablement.
@@ -2371,6 +2384,78 @@ The following fields are available:
 
 ## Diagnostic data events
 
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId**  BootId of the abnormal shutdown being reported by this event.
+- **AbsCausedbyAutoChk**  This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AcDcStateAtLastShutdown**  Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown**  The last recorded battery level.
+- **BatteryPercentageAtLastShutdown**  The battery percentage at the last shutdown.
+- **CrashDumpEnabled**  Are crash dumps enabled?
+- **CumulativeCrashCount**  Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId**  BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController**  The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional**  Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch**  The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional**  Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied**  Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType**  ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset**  Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent**  Indicates whether hardware watchdog timer was present or not.
+- **InvalidBootStat**  This is a sanity check flag that ensures the validity of the bootstat file.
+- **LastBugCheckBootId**  bootId of the last captured crash.
+- **LastBugCheckCode**  Code that indicates the type of error.
+- **LastBugCheckContextFlags**  Additional crash dump settings.
+- **LastBugCheckOriginalDumpType**  The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings**  Other crash dump settings.
+- **LastBugCheckParameter1**  The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress**  Progress towards writing out the last crash dump.
+- **LastBugCheckVersion**  The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId**  BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected**  Identifies if the user was pressing and holding power button.
+- **LongPowerButtonPressInstanceGuid**  The Instance GUID for the user state of pressing and holding the power button.
+- **OOBEInProgress**  Identifies if OOBE is running.
+- **OSSetupInProgress**  Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount**  How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount**  How many times has the power button been released?
+- **PowerButtonErrorCount**  Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId**  BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime**  Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId**  BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime**  Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase**  Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress**  Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage**  Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed**  Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType**  Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint**  Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource**  Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus**  Indicates whether the checkpoint information is valid.
+- **StaleBootStatData**  Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId**  BootId of the captured transition info.
+- **TransitionInfoCSCount**  l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason**  Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason**  Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress**  At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastReferenceTimeChecksum**  The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp**  The date and time that the marker was last saved.
+- **TransitionInfoLidState**  Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp**  The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress**  At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn**  Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning**  At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress**  Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress**  Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId**  Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber**  Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType**  Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId**  If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
 ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
 
 This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
@@ -3375,7 +3460,7 @@ The following fields are available:
 - **DriverIsKernelMode**  Is it a kernel mode driver?
 - **DriverName**  The file name of the driver.
 - **DriverPackageStrongName**  The strong name of the driver package
-- **DriverSigned**  Is the driver signed?
+- **DriverSigned** Is the driver signed?
 - **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
 - **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
 - **DriverVersion**  The version of the driver file.
@@ -3689,7 +3774,7 @@ The following fields are available:
 - **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
-- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
 - **appPingEventDownloadMetricsDownloader**  A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@@ -3876,6 +3961,33 @@ The following fields are available:
 - **resultCode**  HR result of operation.
 
 
+## Other events
+
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender.
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender).
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -3964,6 +4076,18 @@ The following fields are available:
 - **TargetPath**  (Optional) If the operation is a move, the target path to which the file or directory is being moved.
 
 
+### Microsoft.Windows.Setup.WinSetupMon.TraceErrorVolume
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver, related to a specific volume (drive).
+
+The following fields are available:
+
+- **Message**  Text string describing the error condition.
+- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **Status**  NTSTATUS code related to the error.
+- **Volume**  Path of the volume on which the error occurs
+
+
 ### SetupPlatformTel.SetupPlatformTelActivityEvent
 
 This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
@@ -6225,6 +6349,17 @@ The following fields are available:
 - **WorkCompleted**  A flag that indicates if work is completed.
 
 
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
+
+
 ### Microsoft.Windows.Update.Orchestrator.UX.InitiatingReboot
 
 This event indicates that a restart was initiated in to enable the update process. The data collected with this event is used to help keep Windows up to date.
@@ -6618,4 +6753,4 @@ The following fields are available:
 - **Disposition**  The parameter for the hard reserve adjustment function.
 - **Flags**  The flags passed to the hard reserve adjustment function.
 - **PendingHardReserveAdjustment**  The final change to the hard reserve size.
-- **UpdateType**  Indicates whether the change is an increase or decrease in the size of the hard reserve.
\ No newline at end of file
+- **UpdateType**  Indicates whether the change is an increase or decrease in the size of the hard reserve.
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index f564971ad6..1d88770967 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -7,7 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.collection: highpri
 ms.topic: reference
 ---
@@ -1652,6 +1652,30 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -1988,7 +2012,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -1996,7 +2020,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsDomainJoined**  Indicates whether a machine is joined to a domain.
@@ -2005,7 +2029,7 @@ The following fields are available:
 - **MDMServiceProvider**  A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
@@ -2474,6 +2498,7 @@ The following fields are available:
 
 - **wilActivity**  Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
 
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
 
 Fires when driver scanning fails to get results.
@@ -3125,7 +3150,7 @@ The following fields are available:
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
 - **IsCTA**  If device has the CTA regkey set.
-- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the AAD (Azure Active Directory) domain.
+- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the Microsoft Entra domain.
 - **IsDeviceADDomainJoined**  Indicates whether the device is logged in to the AD (Active Directory) domain.
 - **IsDeviceCloverTrail**  Indicates whether the device has a Clover Trail system installed.
 - **IsDeviceDiskSpaceLow**  If device disk space is low.
@@ -5150,7 +5175,7 @@ The following fields are available:
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
 - **appPingEventDownloadMetricsCdnAzureRefOriginShield**  Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
 - **appPingEventDownloadMetricsCdnCache**  Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) For example, HIT from proxy.domain.tld, MISS from proxy.local.
-- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsCdnMSEdgeRef**  Used to help correlate client-to-AFD (Azure Front Door) conversations. For example, Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z.
 - **appPingEventDownloadMetricsCdnP3P**  Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. For example, CP=\"CAO PSA OUR\".
@@ -5591,6 +5616,33 @@ The following fields are available:
 
 ## Other events
 
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **HeartbeatType**  Enum of the reason the heartbeat is collected
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender.
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender).
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
+
 ### Microsoft.Windows.OneSettingsClient.Heartbeat
 
 This event indicates the config state heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
@@ -5600,6 +5652,20 @@ The following fields are available:
 - **Configs**  Array of configs.
 
 
+### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateFailed
+
+Event that indicates that an attempt to apply secure boot updates failed
+
+The following fields are available:
+
+- **Action**  Action string when error occured
+- **hr**  Error code in HRESULT
+- **IsResealNeeded**  BOOL value to indicate if TPM Reseal was needed
+- **SecureBootUpdateCaller**  Scenario in which function was called. Could be Update or Upgrade
+- **UpdateType**  Indicates if it is DB or DBX update
+- **WillResealSucceed**  Indicates if TPM reseal operation is expected to succeed
+
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -5730,6 +5796,16 @@ The following fields are available:
 
 ## Software update events
 
+### SoftwareUpdateClientTelemetry.BadUpdateMetadata
+
+Provides information on bad update metadata detection. This information is used to understand the impacted update and ensure correct updates to keep windows up to date.
+
+The following fields are available:
+
+- **RevisionId**  Update metadata revision Id.
+- **ServiceGuid**  The service endpoint (pre-defined GUID) which client is checking updates against.
+
+
 ### SoftwareUpdateClientTelemetry.CheckForUpdates
 
 This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date.
@@ -5749,7 +5825,7 @@ The following fields are available:
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
@@ -5870,7 +5946,7 @@ The following fields are available:
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Indicates whether the download was a full- or a partial-file download.
 - **CbsMethod**  The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior.
@@ -6370,6 +6446,25 @@ The following fields are available:
 - **Ver**  Schema version.
 
 
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3
+
+Hardware level data about battery performance.
+
+The following fields are available:
+
+- **BatteryTelemetry**  Hardware Level Data about battery performance.
+- **ComponentId**  Component ID.
+- **FwVersion**  FW version that created this log.
+- **LogClass**  LOG CLASS.
+- **LogInstance**  Log instance within class (1..n).
+- **LogVersion**  LOG MGR VERSION.
+- **MCUInstance**  Instance id used to identify multiple MCU's in a product.
+- **ProductId**  ProductId ID.
+- **SeqNum**  Sequence Number.
+- **TimeStamp**  UTC seconds when log was created.
+- **Ver**  Schema version.
+
+
 ### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
 
 This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
@@ -6923,10 +7018,10 @@ The following fields are available:
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  Counts the events at the global level for telemetry.
 - **PackageVersion**  The package version for currency tools.
-- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is Azure Active Directory joined.
+- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceInDssPolicy**  Boolean indicating whether the device is found to be in a DSS policy.
 - **UnifiedInstallerDeviceInDssPolicyHresult**  The result code for checking whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is Azure Active Directory joined.
+- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceIsAdJoined**  Boolean indicating whether a device is AD joined.
 - **UnifiedInstallerDeviceIsAdJoinedHresult**  The result code for checking whether a device is AD joined.
 - **UnifiedInstallerDeviceIsEducationSku**  Boolean indicating whether a device is Education SKU.
@@ -7053,7 +7148,7 @@ The following fields are available:
 - **PackageVersion**  The package version of the label.
 - **UpdateHealthToolsDevicePolicyFileName**  The default name of the policy blob file.
 - **UpdateHealthToolsDssDeviceApiSegment**  The URI segment for reading the DSS device pointer.
-- **UpdateHealthToolsDssDeviceId**  The Azure Active Directory ID of the device used to create the device ID hash.
+- **UpdateHealthToolsDssDeviceId**  The ID in Microsoft Entra ID of the device used to create the device ID hash.
 - **UpdateHealthToolsDssDevicePolicyApiSegment**  The segment of the device policy API pointer.
 - **UpdateHealthToolsDssTenantId**  The tenant id of the device used to create the tenant id hash.
 - **UpdateHealthToolsHashedDeviceId**  The SHA256 hash of the device id.
@@ -7062,7 +7157,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
 
-This event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure.
+This event is sent when the device is not Microsoft Entra joined. The data collected with this event is used to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -8804,6 +8899,19 @@ The following fields are available:
 
 - **wilActivity**  This struct provides a Windows Internal Library context used for Product and Service diagnostics.
 
+
+### Microsoft.Windows.Update.Orchestrator.Client.UpdatePolicyCacheRefresh
+
+This ensures the update policies are refreshed in the cache so that we can properly determine what updates the device should be offered and how the device should take the updates (e.g. how and when to scan, download, install, and reboot).
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of configured policies
+- **policiesNamevaluesource**  Name of the policies
+- **updateInstalluxsetting**  Whether the update install setting is set
+- **wuDeviceid**  Device ID.
+
+
 ### Microsoft.Windows.Update.Orchestrator.DeferRestart
 
 This event indicates that a restart required for installing updates was postponed. The data collected with this event is used to help keep Windows secure and up to date.
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 35536d7efd..483e61d221 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 12/17/2020
+ms.date: 10/06/2023
 ms.topic: reference
 ---
 # Windows 11 connection endpoints for non-Enterprise editions
@@ -21,11 +21,11 @@ In addition to the endpoints listed for [Windows 11 Enterprise](manage-windows-1
 The following methodology was used to derive the network endpoints:
 
 1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
-2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Microsoft Entra ID.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
 
@@ -49,7 +49,7 @@ The following methodology was used to derive the network endpoints:
 |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
 |Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
 |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
 |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
 |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
@@ -62,7 +62,7 @@ The following methodology was used to derive the network endpoints:
 |||HTTPS/HTTP|ecn.dev.virtualearth.net|
 |||HTTPS/HTTP|ssl.bing.com|
 |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
-|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoint to contact external websites.|HTTPS/HTTP|edge.activity.windows.com </br> edge.microsoft.com|
+|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoints to contact external websites.|HTTPS/HTTP|edge.activity.windows.com </br> edge.microsoft.com|
 |Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
 |Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
 ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
@@ -76,7 +76,7 @@ The following methodology was used to derive the network endpoints:
 |||TLSv1.2/HTTPS|office.com|
 |||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
 |||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
-|||HTTP/HTTPS|*.blob.core.windows.net|
+|||HTTPS/HTTP|*.blob.core.windows.net|
 |||TLSv1.2|self.events.data.microsoft.com|
 |||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
 |||HTTP|roaming.officeapps.live.com|
@@ -107,7 +107,7 @@ The following methodology was used to derive the network endpoints:
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
 |||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
 ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
 ||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
 |||TLSv1.2/HTTPS|da.xboxservices.com|
@@ -119,60 +119,120 @@ The following methodology was used to derive the network endpoints:
 | **Area** | **Description** | **Protocol** | **Destination** |
 | --- | --- | --- | ---|
 | Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
-|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+|||HTTP|assets.activity.windows.com|
+|Apps|The following endpoint is used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
 ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
-||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+||The following endpoint is used for Spotify Live Tile.|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoints are used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|||HTTP|ocsp.digicert.com|
 |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS|business.bing.com|
+|||HTTP|c.bing.com|
+|||HTTP|edgeassetservice.azureedge.net|
+|||HTTP|fp.msedge.net|
+|||HTTP|fp-vs.azureedge.net|
+|||TLSv1.2|ln-ring.msedge.net|
+|||TLSv1.2|prod-azurecdn-akamai-iris.azureedge.net|
+|||HTTP|r.bing.com|
+|||TLSv1.2/HTTP|s-ring.msedge.net|
+|||HTTP|t-ring.msedge.net|
+|||HTTP|t-ring-fdv2.msedge.net|
+|||TLSv1.2|tse1.mm.bing.net|
+|||TLSv1.2|widgetcdn.azureedge.net|
+|||TLSv1.2|widgetservice.azurefd.net|
 |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
 |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data||HTTP|browser.events.data.msn.com|
+|||TLSv1.2|functional.events.data.microsoft.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
+||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTP|self.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
-|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
-|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|||TLSv1.2/HTTP|watson.events.data.microsoft.com|
+|Font Streaming|The following endpoints is used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|TLSv1.2/HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLSv1.2|inference.location.live.net|
 |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
-|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
-|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
-|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+|||HTTP|ecn-us.dev.virtualearth.net|
+|Microsoft Account|The following endpoint is used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+|||TLSv1.2/HTTPS|wdcpalt.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+|||TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Microsoft Edge|The following endpoints are used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|||TLSv1.2/HTTP|edge.microsoft.com|
+|||HTTP|edge.nelreports.net|
+|||TLSv1.2/HTTP|windows.msn.com|
+|Microsoft Store|The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+|||HTTP|img-s-msn-com.akamaized.net|
 ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
 ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
 ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
 |||HTTPS|storesdk.dsx.mp.microsoft.com|
 ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTP|storeedgefd.dsx.mp.microsoft.com|
+|Microsoft To Do|The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.microsoft.com|
+|||TLSv1.2/HTTP|to-do.microsoft.com|
 |Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
-|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||HTTP|ipv6.msftconnecttest.com|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||TLSv1.2/HTTPS/HTTP|*.blob.core.windows.net|
+|||TLSv1.2/HTTP|ecs.nel.measure.office.net|
+|||TLSv1.2/HTTP|ocws.officeapps.live.com|
+|||TLSv1.2/HTTP|odc.officeapps.live.com|
 |||TLSv1.2/HTTPS|office.com|
-|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
-|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
-|||HTTP/HTTPS|*.blob.core.windows.net|
-|||TLSv1.2|self.events.data.microsoft.com|
-|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
 |||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||HTTP|roaming.officeapps.live.com|
+|||TLSv1.2|self.events.data.microsoft.com|
 |||HTTPS/HTTP|substrate.office.com|
-|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
-|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTP|tfl.nel.measure.office.net|
+|OneDrive|The following endpoints are related to OneDrive.|HTTP|ams03pap005.storage.live.com|
+|||HTTP|api.onedrive.com|
+|||HTTPS|g.live.com|
 |||HTTPS/TLSv1.2|logincdn.msauth.net|
-|||HTTPS/HTTP|windows.policies.live.net|
-|||HTTPS/HTTP|*storage.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTP|onedrive.live.com|
+|||HTTP|sat02pap005.storage.live.com|
 |||HTTPS/HTTP|*settings.live.net|
-|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||HTTP|skyapi.live.net|
+|||HTTP|skydrivesync.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|windows.policies.live.net|
+|Settings|The following endpoints are used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
 |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
-|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|Skype|The following endpoints are used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
-|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
-|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com</br>wdcpalt.microsoft.com|
-|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
-|||TLSv1.2/HTTP|checkappexec.microsoft.com|
-|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*</br>ris.api.iris.microsoft.com|
-|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|edge.skype.com|
+|||HTTP|experimental-api.asm.skype.com|
+|||HTTP|trouter-azsc-ukwe-0-b.trouter.skype.com|
+|||HTTP|us-api.asm.skype.com|
+|Teams|The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
+|||HTTP|teams.live.com|
+|||HTTP|statics.teams.cdn.live.net|
+|||HTTP|statics.teams.cdn.office.net|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTP|api.msn.com|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||TLSv1.2/HTTP|assets.msn.com|
+|||HTTP|c.msn.com|
+|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
+|||HTTP|ntp.msn.com|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|||HTTP|srtb.msn.com|
+|||TLSv1.2/HTTP|www.msn.com|
+|Windows Update||TLSv1.2|definitionupdates.microsoft.com|
+||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
 |||TLSv1.2/HTTP|emdl.ws.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
 |||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint enables connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
 ||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
 |||TLSv1.2/HTTPS|da.xboxservices.com|
@@ -195,7 +255,7 @@ The following methodology was used to derive the network endpoints:
 |||TLSv1.2|odinvzc.azureedge.net|
 |||TLSv1.2|b-ring.msedge.net|
 |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
 |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
 |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
@@ -233,7 +293,7 @@ The following methodology was used to derive the network endpoints:
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
 |||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
 ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
 ||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
 |||TLSv1.2/HTTPS|da.xboxservices.com|
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 35cecd0bee..f237a5b23c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -38,24 +38,24 @@ The following table contains information about the events that you can use to de
 
 | Event ID | Level | Event message | Description |
 | --- | --- | --- | --- |
-| 8000 | Error| Application Identity Policy conversion failed. Status * &lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
+| 8000 | Error| AppID policy conversion failed. Status * &lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
 | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| 
 | 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| 
-| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
-| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| 
+| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8004 | Error| *&lt;File name&gt; * was prevented from running.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| 
 | 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| 
-| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
-| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| 
-| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| 
-| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| 
-| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| 
-| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| 
-| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
-| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| 
-| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| 
-| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| 
-| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy was enforced.| Added in Windows Server 2016 and Windows 10.|
-| 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.|
+| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8007 | Error| *&lt;File name&gt; * was prevented from running.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| 
+| 8008| Warning| *&lt;File name&gt; *: AppLocker component not available on this SKU.| Added in Windows Server 2012 and Windows 8.| 
+| 8020| Information| *&lt;File name&gt; * was allowed to run.| Added in Windows Server 2012 and Windows 8.| 
+| 8021| Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| 
+| 8022| Error| *&lt;File name&gt; * was prevented from running.| Added in Windows Server 2012 and Windows 8.| 
+| 8023 | Information| *&lt;File name&gt; * was allowed to be installed.| Added in Windows Server 2012 and Windows 8.|
+| 8024 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| 
+| 8025 | Error| *&lt;File name&gt; * was prevented from running.| Added in Windows Server 2012 and Windows 8.| 
+| 8027 | Error| No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.| Added in Windows Server 2012 and Windows 8.| 
+| 8028 | Warning | *&lt;File name&gt; * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.|
+| 8029 | Error | *&lt;File name&gt; * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.|
 | 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
 | 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.|
 | 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
@@ -63,9 +63,9 @@ The following table contains information about the events that you can use to de
 | 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
 | 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
 | 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.|
-| 8037 | Information | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.|
+| 8037 | Information | * passed Config CI policy and was allowed to run.| Added in Windows Server 2016 and Windows 10.|
 | 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10.|
-| 8039 | Warning | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.|
+| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10.|
 | 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.|
 
  
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 398a529b8e..3eac346b20 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -81,7 +81,7 @@ To check that the policy was successfully applied on your computer:
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
-  <VersionEx>10.0.25930.0</VersionEx>
+  <VersionEx>10.0.25965.0</VersionEx>
   <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
   <Rules>
     <Rule>
@@ -662,6 +662,10 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_EIO64_6" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Sha256" Hash="D4E7335A177E47688D68AD89940C272F82728C882623F1630E7FD2E03E16F003" />
     <Deny ID="ID_DENY_EIO64_7" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Page Sha1" Hash="D1AAAAF1EEA34073BAF39C7494E646C5AD2475F5" />
     <Deny ID="ID_DENY_EIO64_8" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Page Sha256" Hash="796BEC283155309F2DF0B1779CABC78A3B2161FFCED9F521DB231550DCB376A1" />
+    <Deny ID="ID_DENY_GVCIDRV_1" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Sha1" Hash="4EAE38E9DC262EB7B6EDE4B3D3F4AD068933845E" />
+    <Deny ID="ID_DENY_GVCIDRV_2" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Sha256" Hash="2FF09BB919A9909068166C30322C4E904BEFEBA5429E9A11D011297FB8A73C07" />
+    <Deny ID="ID_DENY_GVCIDRV_3" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Page Sha1" Hash="6980122AEF4E2D5D7A6DDDB6DA76A166C460E0A1" />
+    <Deny ID="ID_DENY_GVCIDRV_4" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Page Sha256" Hash="A69247025DD32DC15E06FEE362B494BCC6105D34B8D7091F7EC3D9000BD71501" />
     <Deny ID="ID_DENY_HW_22" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Sha1" Hash="924A088149D6EE89551E15D45E7BC847B9561196" />
     <Deny ID="ID_DENY_HW_23" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Sha256" Hash="5E1E1489A1A01CFB466B527543D9D25112A83792BDE443DE9E34E4D3ADA697E3" />
     <Deny ID="ID_DENY_HW_24" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Page Sha1" Hash="ADB70331BE7B68359C3EC3065C045349EA5B2EE2" />
@@ -691,6 +695,90 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_INPOUTX_21" FriendlyName="inpoutx\d5cc046c2ae9ba6fe54def699f1c4fa92d3226304321bbf45cc33883ce131138 Hash Sha256" Hash="D5CC046C2AE9BA6FE54DEF699F1C4FA92D3226304321BBF45CC33883CE131138" />
     <Deny ID="ID_DENY_INPOUTX_22" FriendlyName="inpoutx\e2c531a771b0df1585518a22427798e86611e6be3d357024797871a1b3876e9c Hash Sha1" Hash="CCE8ED3969E52080B32BCC59E2EC174CA9C578EC" />
     <Deny ID="ID_DENY_INPOUTX_23" FriendlyName="inpoutx\e2c531a771b0df1585518a22427798e86611e6be3d357024797871a1b3876e9c Hash Sha256" Hash="E2C531A771B0DF1585518A22427798E86611E6BE3D357024797871A1B3876E9C" />
+    <Deny ID="ID_DENY_IREC_1" FriendlyName="IREC.sys\irec32--1.sys Hash Sha1" Hash="B715B8030FC28346C97B5F5FB901C390ED5C97B6" />
+    <Deny ID="ID_DENY_IREC_2" FriendlyName="IREC.sys\irec32--1.sys Hash Sha256" Hash="2E8E61DAA45061AE04AABEE086371A6D56F0D517AA584E1B70C8423C8E469310" />
+    <Deny ID="ID_DENY_IREC_3" FriendlyName="IREC.sys\irec32--1.sys Hash Page Sha1" Hash="9DF591D3672885C5BAA454413C75D974386B9F14" />
+    <Deny ID="ID_DENY_IREC_4" FriendlyName="IREC.sys\irec32--1.sys Hash Page Sha256" Hash="883602C2C622E270F91E6391FE5E4B156CB68ED6B41A2F5694EFB93774579FFF" />
+    <Deny ID="ID_DENY_IREC_5" FriendlyName="IREC.sys\irec32--10.sys Hash Sha1" Hash="BCA37BCC2AEE3383F43D0126E30E07893E40F452" />
+    <Deny ID="ID_DENY_IREC_6" FriendlyName="IREC.sys\irec32--10.sys Hash Sha256" Hash="B431CBD247F1D229CA2A90256063973A8B4129A154926026366766677AB740F6" />
+    <Deny ID="ID_DENY_IREC_7" FriendlyName="IREC.sys\irec32--10.sys Hash Page Sha1" Hash="4B2582568EC84D1711D3EDCBE53730F32D9EA4F5" />
+    <Deny ID="ID_DENY_IREC_8" FriendlyName="IREC.sys\irec32--10.sys Hash Page Sha256" Hash="6D94B06210D7946DD9F4EC83D2E804FC6EA0083E95CBACA0E62D84891C9DA51C" />
+    <Deny ID="ID_DENY_IREC_9" FriendlyName="IREC.sys\irec32--11.sys Hash Sha1" Hash="EAA1C906B44925B71D4F67A29F125158CF58FBA1" />
+    <Deny ID="ID_DENY_IREC_A" FriendlyName="IREC.sys\irec32--11.sys Hash Sha256" Hash="EBFF008864CE631BCD44328DF0E72901EA08B83EA25EB6949FC8D61335E6A149" />
+    <Deny ID="ID_DENY_IREC_B" FriendlyName="IREC.sys\irec32--11.sys Hash Page Sha1" Hash="86777AF3C0E74138EF70C3DC02D98E3938F244BA" />
+    <Deny ID="ID_DENY_IREC_C" FriendlyName="IREC.sys\irec32--11.sys Hash Page Sha256" Hash="968D1E5440BA5F42E5E50C33ECFEE253FC6217F58F0475EC881DF9A65F254584" />
+    <Deny ID="ID_DENY_IREC_D" FriendlyName="IREC.sys\irec32--2.sys Hash Sha1" Hash="BC47F6F4A03B944A2C9BADA25275D5ED35A00946" />
+    <Deny ID="ID_DENY_IREC_E" FriendlyName="IREC.sys\irec32--2.sys Hash Sha256" Hash="E04C028FA5D0343A10C1D526ADD23B5C98834B252A87732CF69F4D482A7DAB94" />
+    <Deny ID="ID_DENY_IREC_F" FriendlyName="IREC.sys\irec32--2.sys Hash Page Sha1" Hash="F2F9BC79B1CF1FC2C4F9C3B59C53F5A8949CC987" />
+    <Deny ID="ID_DENY_IREC_10" FriendlyName="IREC.sys\irec32--2.sys Hash Page Sha256" Hash="5ECD5D7679504C22300263889CC3B48F1724EC5276CA24C06BABED595C3501AF" />
+    <Deny ID="ID_DENY_IREC_11" FriendlyName="IREC.sys\irec32--3.sys Hash Sha1" Hash="94881B8F8C0BD3EC9B4F8C44D74CD774AAEF77CA" />
+    <Deny ID="ID_DENY_IREC_12" FriendlyName="IREC.sys\irec32--3.sys Hash Sha256" Hash="A026FADABEB628EAD4399CA3FB3369224983E311CF927EAC7826B230CB774B67" />
+    <Deny ID="ID_DENY_IREC_13" FriendlyName="IREC.sys\irec32--3.sys Hash Page Sha1" Hash="3DEF49B1C6095AD5A5CACB5ED24958070C872925" />
+    <Deny ID="ID_DENY_IREC_14" FriendlyName="IREC.sys\irec32--3.sys Hash Page Sha256" Hash="00A813073AED7A5C795C35BF239536962683A73BB315C774DBA9838144131DEF" />
+    <Deny ID="ID_DENY_IREC_15" FriendlyName="IREC.sys\irec32--5.sys Hash Sha1" Hash="7C1B5F25BBA93877FA3D5626F3FF08FC865FC062" />
+    <Deny ID="ID_DENY_IREC_16" FriendlyName="IREC.sys\irec32--5.sys Hash Sha256" Hash="BB02A566FFE392BA15F3DD0FA0F2B08AE684462D41FE2141D98E9E8F416BC339" />
+    <Deny ID="ID_DENY_IREC_17" FriendlyName="IREC.sys\irec32--5.sys Hash Page Sha1" Hash="A987A4E8B23A90EC582C18CCB6A4FC075BBBE564" />
+    <Deny ID="ID_DENY_IREC_18" FriendlyName="IREC.sys\irec32--5.sys Hash Page Sha256" Hash="2ABA330D66FA4FA0348B52C068B8C754C18565D55059FF02D114C52A00946996" />
+    <Deny ID="ID_DENY_IREC_19" FriendlyName="IREC.sys\irec32--7.sys Hash Sha1" Hash="EF221C26D16FDFC16B6B416666AC27C67A123EDB" />
+    <Deny ID="ID_DENY_IREC_1A" FriendlyName="IREC.sys\irec32--7.sys Hash Sha256" Hash="2E5C4332A9EC895818F3F5EB3C101D2E55F4C588A57E4DAAD0544F5F3E434DD6" />
+    <Deny ID="ID_DENY_IREC_1B" FriendlyName="IREC.sys\irec32--7.sys Hash Page Sha1" Hash="98C5D52418EF0D4489EAD7341D4C80337E5438F4" />
+    <Deny ID="ID_DENY_IREC_1C" FriendlyName="IREC.sys\irec32--7.sys Hash Page Sha256" Hash="48AB3B361354812A7353F902491B4814268325AC53D79B81B3938A66A294E219" />
+    <Deny ID="ID_DENY_IREC_1D" FriendlyName="IREC.sys\irec32--8.sys Hash Sha1" Hash="4432DB3BCB9B8F14F1D8CBA0292985A206A624B5" />
+    <Deny ID="ID_DENY_IREC_1E" FriendlyName="IREC.sys\irec32--8.sys Hash Sha256" Hash="5B942A0686EE8772E0CC5070F9A023067410A7FC2F17EE902A380592EFF9DF98" />
+    <Deny ID="ID_DENY_IREC_1F" FriendlyName="IREC.sys\irec32--8.sys Hash Page Sha1" Hash="504DADC23313231D3670E0D60AB12CC9D3F8F366" />
+    <Deny ID="ID_DENY_IREC_20" FriendlyName="IREC.sys\irec32--8.sys Hash Page Sha256" Hash="83A28797DF3C1134FD2CF3BB3E1967C8BE2CF9D1BA13DEDB1367CE9E1E8FE84A" />
+    <Deny ID="ID_DENY_IREC_21" FriendlyName="IREC.sys\irec32--9.sys Hash Sha1" Hash="E388275F8874F95E4484F52742FCFB3751B33FF9" />
+    <Deny ID="ID_DENY_IREC_22" FriendlyName="IREC.sys\irec32--9.sys Hash Sha256" Hash="C9488EDE76B64E13E625D7EAEAFE5CE0C1B180CA6FB429B8C4C8DF5089DEEAF5" />
+    <Deny ID="ID_DENY_IREC_23" FriendlyName="IREC.sys\irec32--9.sys Hash Page Sha1" Hash="A4C243D53D69FBA0539949D7966E2DF67C4010CE" />
+    <Deny ID="ID_DENY_IREC_24" FriendlyName="IREC.sys\irec32--9.sys Hash Page Sha256" Hash="D6818FA421D57D961BD54625C2BDD0FB0C1E16CF00E404DBF37F1BC86DB48C20" />
+    <Deny ID="ID_DENY_IREC_25" FriendlyName="IREC.sys\irec64--16.sys Hash Sha1" Hash="169DD93FD4A637E452B148309C2E187880534E12" />
+    <Deny ID="ID_DENY_IREC_26" FriendlyName="IREC.sys\irec64--16.sys Hash Sha256" Hash="43BF704522A5E01030A9B5CDFBDD7B226E93B40B5AF62581495E66407F365B10" />
+    <Deny ID="ID_DENY_IREC_27" FriendlyName="IREC.sys\irec64--16.sys Hash Page Sha1" Hash="A9D9D7FF0D091A63491D43B4E9FB3852BC1BD5B1" />
+    <Deny ID="ID_DENY_IREC_28" FriendlyName="IREC.sys\irec64--16.sys Hash Page Sha256" Hash="1356FD71998471A795A4CBFDACED2D86879F05CEE383918B516BCF14ACAF547D" />
+    <Deny ID="ID_DENY_IREC_29" FriendlyName="IREC.sys\irec64--17.sys Hash Sha1" Hash="8E5B173D15C5E940D8D2D1985810D5EB2118AFAD" />
+    <Deny ID="ID_DENY_IREC_2A" FriendlyName="IREC.sys\irec64--17.sys Hash Sha256" Hash="06A136B23ADE23C02509A896A05CF6D99DF93E774A10583B796B61E3F643A858" />
+    <Deny ID="ID_DENY_IREC_2B" FriendlyName="IREC.sys\irec64--17.sys Hash Page Sha1" Hash="BC95CB78F67C3F98380CB53FE1EB3A495BF53B8B" />
+    <Deny ID="ID_DENY_IREC_2C" FriendlyName="IREC.sys\irec64--17.sys Hash Page Sha256" Hash="F563312E01F7C88293CC4374C97737EDAED22A6FD26E0106CB6A30CE68C3BD45" />
+    <Deny ID="ID_DENY_IREC_2D" FriendlyName="IREC.sys\irec64--18.sys Hash Sha1" Hash="90EBE947F9DAEF1ABEE0BCC2241069E061AE24ED" />
+    <Deny ID="ID_DENY_IREC_2E" FriendlyName="IREC.sys\irec64--18.sys Hash Sha256" Hash="9A6E8BD410BA51574B773B98C6488FC332F445DA0E94E78F693B9A76E86DFBCC" />
+    <Deny ID="ID_DENY_IREC_2F" FriendlyName="IREC.sys\irec64--18.sys Hash Page Sha1" Hash="B8FC6F0E07F898268E43652C0CCB650405CCD68C" />
+    <Deny ID="ID_DENY_IREC_30" FriendlyName="IREC.sys\irec64--18.sys Hash Page Sha256" Hash="BA7317A12A431DA55E53778C9EC0D58DB701E88B89D03A9EDD7C5C1012E66A14" />
+    <Deny ID="ID_DENY_IREC_31" FriendlyName="IREC.sys\irec64--19.sys Hash Sha1" Hash="719F659300BA463EFEEAB5916F0378C64FC1AD4A" />
+    <Deny ID="ID_DENY_IREC_32" FriendlyName="IREC.sys\irec64--19.sys Hash Sha256" Hash="457E2EB5EE1DEF0E336463B7F62DCC02FDDE307B817CF750907A5F5465C4DCB7" />
+    <Deny ID="ID_DENY_IREC_33" FriendlyName="IREC.sys\irec64--19.sys Hash Page Sha1" Hash="F7FEA2BE8FF65DBB89BAF39EF8E0D80DAB81CB8E" />
+    <Deny ID="ID_DENY_IREC_34" FriendlyName="IREC.sys\irec64--19.sys Hash Page Sha256" Hash="5FEB045C2452FD280BA1CAD5FC9B4F0DE7FC95EABDCE19FA2CD1F632891F3B1A" />
+    <Deny ID="ID_DENY_IREC_35" FriendlyName="IREC.sys\irec64--21.sys Hash Sha1" Hash="37486D0CA79CF2924D8540B00E84FF4F9C86F574" />
+    <Deny ID="ID_DENY_IREC_36" FriendlyName="IREC.sys\irec64--21.sys Hash Sha256" Hash="87F01D8BF8424D801D4B47273918FB817DA2E59F517BA1FC1C038FB3C4E91A17" />
+    <Deny ID="ID_DENY_IREC_37" FriendlyName="IREC.sys\irec64--21.sys Hash Page Sha1" Hash="54CBAEDB10F2AFAA73E4C209ECD6E76B3912AF6F" />
+    <Deny ID="ID_DENY_IREC_38" FriendlyName="IREC.sys\irec64--21.sys Hash Page Sha256" Hash="09516642395221D25006D8E604D7FC519DE102453875D6DD325D02A80A4D30CE" />
+    <Deny ID="ID_DENY_IREC_39" FriendlyName="IREC.sys\irec64--23.sys Hash Sha1" Hash="E4496961589BB0C03F05016AA3242B2D1ACD5E3F" />
+    <Deny ID="ID_DENY_IREC_3A" FriendlyName="IREC.sys\irec64--23.sys Hash Sha256" Hash="D62B9E6BC56E042C1CE7CB6493AB7FD1B58F716D1C4DC9E56DDFDBDB79B4F3E4" />
+    <Deny ID="ID_DENY_IREC_3B" FriendlyName="IREC.sys\irec64--23.sys Hash Page Sha1" Hash="0F11543D227EB822C9FBB3F4B9E497E1831BFAA9" />
+    <Deny ID="ID_DENY_IREC_3C" FriendlyName="IREC.sys\irec64--23.sys Hash Page Sha256" Hash="A28B1BD5B1C5D3C91029CAEAE0FB71AFD3485A5D6701DF812D9181B429E605F1" />
+    <Deny ID="ID_DENY_IREC_3D" FriendlyName="IREC.sys\irec64--24.sys Hash Sha1" Hash="288AA5926A9382D34AF147B142BCDD02C06B39BD" />
+    <Deny ID="ID_DENY_IREC_3E" FriendlyName="IREC.sys\irec64--24.sys Hash Sha256" Hash="66A751B6168A4D9F2F5F5D8D18BEF25F1494E0E20A31360E0F72E498096DE23F" />
+    <Deny ID="ID_DENY_IREC_3F" FriendlyName="IREC.sys\irec64--24.sys Hash Page Sha1" Hash="D71E1AA8124D6E634D2F8C9C08E6D1BFC29F0E3A" />
+    <Deny ID="ID_DENY_IREC_40" FriendlyName="IREC.sys\irec64--24.sys Hash Page Sha256" Hash="66D06BE183B3AE3F51798A4FCFAB56CAD3B92135429620F5EC1589258F799326" />
+    <Deny ID="ID_DENY_IREC_41" FriendlyName="IREC.sys\irec64--25.sys Hash Sha1" Hash="8BBB803E9F79196590FC33E4FB216D556E318F86" />
+    <Deny ID="ID_DENY_IREC_42" FriendlyName="IREC.sys\irec64--25.sys Hash Sha256" Hash="9C709B73D67AC049C391EB398A08056422AA677801B2AF924CF3BBACD3D484D2" />
+    <Deny ID="ID_DENY_IREC_43" FriendlyName="IREC.sys\irec64--25.sys Hash Page Sha1" Hash="0D28D548B2E5C5CBB279061A32CC46297A1F531C" />
+    <Deny ID="ID_DENY_IREC_44" FriendlyName="IREC.sys\irec64--25.sys Hash Page Sha256" Hash="924DF2032B3B70CD9D9ACC3AC28D0924E8D9EAA24CD406688E2DC0E3BFC3F70A" />
+    <Deny ID="ID_DENY_IREC_45" FriendlyName="IREC.sys\irec64--26.sys Hash Sha1" Hash="63DC0951A2D8FD32F62E7ECBB34B917EDB855E27" />
+    <Deny ID="ID_DENY_IREC_46" FriendlyName="IREC.sys\irec64--26.sys Hash Sha256" Hash="D48B16426AD15C2FCD570F68893BDDFC16E61BF47E86575D17B7CBDED71F9937" />
+    <Deny ID="ID_DENY_IREC_47" FriendlyName="IREC.sys\irec64--26.sys Hash Page Sha1" Hash="798CF0D31E7DE95236D32526D98B1B9F398EF451" />
+    <Deny ID="ID_DENY_IREC_48" FriendlyName="IREC.sys\irec64--26.sys Hash Page Sha256" Hash="679ECD06D16A6E5D647E955DC8DB480F2799868C1C8F2334DAF11B095DCE9DCB" />
+    <Deny ID="ID_DENY_IREC_49" FriendlyName="IREC.sys\irec64--27.sys Hash Sha1" Hash="EFE0B7278B60880F2A7EE6FE6F7EC274995C8D0E" />
+    <Deny ID="ID_DENY_IREC_4A" FriendlyName="IREC.sys\irec64--27.sys Hash Sha256" Hash="F2F3907897D349B6263C1FBC16BF12534886DB847E98BFFE786025C16E2796C1" />
+    <Deny ID="ID_DENY_IREC_4B" FriendlyName="IREC.sys\irec64--27.sys Hash Page Sha1" Hash="CA64B7A0BEA9C46986C9CCC869F66DB49FC82CDA" />
+    <Deny ID="ID_DENY_IREC_4C" FriendlyName="IREC.sys\irec64--27.sys Hash Page Sha256" Hash="6789CA368EC8D5D01FD8D379A119CEAA677798BA0763BEBBE65C9FA5E581A160" />
+    <Deny ID="ID_DENY_IREC_4D" FriendlyName="IREC.sys\irec64--28.sys Hash Sha1" Hash="8B8D832E9F39281A454CE6D6A876338B8931075F" />
+    <Deny ID="ID_DENY_IREC_4E" FriendlyName="IREC.sys\irec64--28.sys Hash Sha256" Hash="7CCCD8D23FDABF6F6AC6725521EF99B6CB90BA5045FC13540EC6B9BB69F71AB0" />
+    <Deny ID="ID_DENY_IREC_4F" FriendlyName="IREC.sys\irec64--28.sys Hash Page Sha1" Hash="CC1696378EC427350B8AF1327113DC18FFE8433C" />
+    <Deny ID="ID_DENY_IREC_50" FriendlyName="IREC.sys\irec64--28.sys Hash Page Sha256" Hash="8248A91E24E4DE42B0690268C781938095D1C4F89750A66D8E05DBE5DD709864" />
+    <Deny ID="ID_DENY_IREC_51" FriendlyName="IREC.sys\irecARM64--45.sys Hash Sha1" Hash="F89D40FA04E040EF2B6170CAA7E7BDF52A40B2E6" />
+    <Deny ID="ID_DENY_IREC_52" FriendlyName="IREC.sys\irecARM64--45.sys Hash Sha256" Hash="7883DDEBE413E3D18E93FE73CA293322235A6EF6AEF5AD7030B743A4ECED83A3" />
+    <Deny ID="ID_DENY_IREC_53" FriendlyName="IREC.sys\irecARM64--45.sys Hash Page Sha1" Hash="2C8F603F5420AC349DAD3051C6DD820DC1D34C8E" />
+    <Deny ID="ID_DENY_IREC_54" FriendlyName="IREC.sys\irecARM64--45.sys Hash Page Sha256" Hash="8154EA793FC5DA34AAA7B14D24F462D1E6838AA7DE44CF3E5F332A8C66191DF2" />
     <Deny ID="ID_DENY_LGCORETEMP_1" FriendlyName="lgcoretemp\e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef Hash Sha1" Hash="BF20C99129A768B3D2D5C621AB50375984AB9351" />
     <Deny ID="ID_DENY_LGCORETEMP_2" FriendlyName="lgcoretemp\e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef Hash Sha256" Hash="9C4DB6EE983FD4FA74F8212031ADE343A1B9ABDB258D05BEF1AABD7AB49FBC16" />
     <Deny ID="ID_DENY_LGCORETEMP_3" FriendlyName="lgcoretemp\e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef Hash Page Sha1" Hash="4DD5A5D9B4AF0708902DF52C6C42921DE296CC21" />
@@ -889,6 +977,26 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_NVFLASH_6A" FriendlyName="nvflash.sys\ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18 Hash Sha256" Hash="157CE9AE0D09766CFA3E5BE8F90E2AC510F0CE3A0BB7CD97E3A5F9AA20C76661" />
     <Deny ID="ID_DENY_NVFLASH_6B" FriendlyName="nvflash.sys\ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18 Hash Page Sha1" Hash="C1DC399DF098A44F569BA80ECCFE0B5724362B16" />
     <Deny ID="ID_DENY_NVFLASH_6C" FriendlyName="nvflash.sys\ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18 Hash Page Sha256" Hash="D6E111744E51D167F040AC43D426D852013241C717C557ECC8C8FCEAA0F01BBC" />
+    <Deny ID="ID_DENY_NVOCLOCK_1" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Sha1" Hash="0380CE3467B97AA19CA6AB3177651B22A77D9C0E" />
+    <Deny ID="ID_DENY_NVOCLOCK_2" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Sha256" Hash="717242AD6A3AFB6F236890CAA44501A4BE8D0AB019F028BA2C74D3455F065804" />
+    <Deny ID="ID_DENY_NVOCLOCK_3" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Page Sha1" Hash="B80FECC3E055CE1952E0C9F491B9BBC4EDD3591A" />
+    <Deny ID="ID_DENY_NVOCLOCK_4" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Page Sha256" Hash="D1CC7B5CED135FC9CF1170C78F6B3FD789962A73D84114C3ACC93FFBABA59C77" />
+    <Deny ID="ID_DENY_NVOCLOCK_5" FriendlyName="nvoclock\29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36 Hash Sha1" Hash="E7F478393A69EC3FE0A026584DDC26FD336DC4F0" />
+    <Deny ID="ID_DENY_NVOCLOCK_6" FriendlyName="nvoclock\29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36 Hash Sha256" Hash="73664268A737D071F2C3C67503002DB08432953F14771317835B6F080D3DAEFF" />
+    <Deny ID="ID_DENY_NVOCLOCK_7" FriendlyName="nvoclock\3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284 Hash Sha1" Hash="1E4FDFE6750A04756332CC5A5896CD5763C923C7" />
+    <Deny ID="ID_DENY_NVOCLOCK_8" FriendlyName="nvoclock\3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284 Hash Sha256" Hash="1848CB34D16559E3C8232C369D89FC12B5720B58300D8C4C21DADE6E3EA8D585" />
+    <Deny ID="ID_DENY_NVOCLOCK_9" FriendlyName="nvoclock\4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d Hash Sha1" Hash="FB6958D7D53E63EDEB4CCEEBAB4D12CA70202109" />
+    <Deny ID="ID_DENY_NVOCLOCK_10" FriendlyName="nvoclock\4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d Hash Sha256" Hash="F72DBB2A818BA47CA03FFBE50D211050210699C25CAEC3B97CA960D7286D4B6A" />
+    <Deny ID="ID_DENY_NVOCLOCK_11" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Sha1" Hash="2D63276EB232457770188F2DF6FC67EB41FAACD1" />
+    <Deny ID="ID_DENY_NVOCLOCK_12" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Sha256" Hash="ABBF92203A31C93B8E719CDABFF1C681921EDBAF43CD34DA79C86CB5A806757F" />
+    <Deny ID="ID_DENY_NVOCLOCK_13" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Page Sha1" Hash="6687A30E8887A18CBCC962E2BDE118BA66310F15" />
+    <Deny ID="ID_DENY_NVOCLOCK_14" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Page Sha256" Hash="1FE5977A8C891E29444E1364EB91C82A606E39E842D80FE0DBA126261376E751" />
+    <Deny ID="ID_DENY_NVOCLOCK_15" FriendlyName="nvoclock\77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f Hash Sha1" Hash="FDDCB8952F5F44DDAE6201B08DDAA94537470669" />
+    <Deny ID="ID_DENY_NVOCLOCK_16" FriendlyName="nvoclock\77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f Hash Sha256" Hash="CEC5964D7E32C52439D5EB660FA97827B619A7DA9F3264F0C9FA4B69E3CB7CC1" />
+    <Deny ID="ID_DENY_NVOCLOCK_17" FriendlyName="nvoclock\87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b Hash Sha1" Hash="8546586F7825C49876F2E0C52BA55F545B4E03BD" />
+    <Deny ID="ID_DENY_NVOCLOCK_18" FriendlyName="nvoclock\87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b Hash Sha256" Hash="7C8D7BB3A272AFE7FB737BD165FE9BD8F8187F1835289EB66D471CDCED74E950" />
+    <Deny ID="ID_DENY_NVOCLOCK_19" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha1" Hash="FE761BEE648D4A1C9FD8C1646323A692DF957C42" />
+    <Deny ID="ID_DENY_NVOCLOCK_20" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha256" Hash="B3183D87A902DB1BBDAECB37291B9D37C032CE9DFACBE4B36CC3032F5A643AB4" /> 
     <Deny ID="ID_DENY_OTIPCIBUS_1" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Sha1" Hash="FD172C7F8BDC81988FCF1642881078A8CA8415F6" />
     <Deny ID="ID_DENY_OTIPCIBUS_2" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Sha256" Hash="1CDA1A6E33D14D5DD06344425102BF840F8149E817ECFB01C59A2190D3367024" />
     <Deny ID="ID_DENY_OTIPCIBUS_3" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Page Sha1" Hash="8DFBFD888C9A420AC7F3371E5443C26A2852E539" />
@@ -915,6 +1023,22 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_PHYMEMX64_SHA256" FriendlyName="phymemx64 Hash Sha256" Hash="A6AE7364FD188C10D6B5A729A7FF58A3EB11E7FEB0D107D18F9133655C11FB66" />
     <Deny ID="ID_DENY_PHYMEMX64_SHA1_PAGE" FriendlyName="phymemx64 Hash Page Sha1" Hash="6E7D8ABF7F81A2433F27B052B3952EFC4B9CC0B1" />
     <Deny ID="ID_DENY_PHYMEMX64_SHA256_PAGE" FriendlyName="phymemx64 Hash Page Sha256" Hash="B7113B9A68E17428E2107B19BA099571AAFFC854B8FB9CBCEB79EF9E3FD1CC62" />
+    <Deny ID="ID_DENY_QMBSEC_0" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Sha1" Hash="129ABA97A7EB768AE0ED28D0C9A496F3C60DB314" />
+    <Deny ID="ID_DENY_QMBSEC_1" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Sha256" Hash="AF55DE92D14CF69D19B2FCB6DB4FBE272C2E04E5F62F7519BD368C173A05CE1F" />
+    <Deny ID="ID_DENY_QMBSEC_2" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Page Sha1" Hash="416895E001A9C3721999048941CD9B79BB9BF9BB" />
+    <Deny ID="ID_DENY_QMBSEC_3" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Page Sha256" Hash="50A1719C23DD141ACC867D0935A0EB1A8349F3D7CF1186FA037E829D1788FB34" />
+    <Deny ID="ID_DENY_QMBSEC_4" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Sha1" Hash="7DC5480689591EE8FE778641807CB7B54263E04F" />
+    <Deny ID="ID_DENY_QMBSEC_5" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Sha256" Hash="C8AF285696916F5E503E1F6445BE1CAA23B10178F261E4893DFB0F93A2AA9211" />
+    <Deny ID="ID_DENY_QMBSEC_6" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Page Sha1" Hash="AF20947C135C4497FB6D1B51180DC07AAABEEA00" />
+    <Deny ID="ID_DENY_QMBSEC_7" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Page Sha256" Hash="FB361D34A0D7C633817DDABEFD0CE66F9F5BC1E8F2B301DCCE657BADD2F06FB3" />
+    <Deny ID="ID_DENY_QMBSEC_8" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Sha1" Hash="6C3434976D859889FA4E91FCF370764A48056B73" />
+    <Deny ID="ID_DENY_QMBSEC_9" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Sha256" Hash="46141E13ADBADCDB42E0E96AC9F71D3E88E5FA6EFB42F658E216078424FE57A0" />
+    <Deny ID="ID_DENY_QMBSEC_A" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Page Sha1" Hash="BAB8C0DAC93E72E13F7F2014F44C5EDF1EFCAE17" />
+    <Deny ID="ID_DENY_QMBSEC_B" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Page Sha256" Hash="6980D97D602100054B8F9F2206E29705E79EC86464915B2212ECEC08C548A291" />
+    <Deny ID="ID_DENY_QMBSEC_C" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Sha1" Hash="82879A316D5A212C95E8F6DC2734BFDA3DD84DE4" />
+    <Deny ID="ID_DENY_QMBSEC_D" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Sha256" Hash="B083BB2B298FA14F2E7CC65341337209DF5DE7C53B8CE5DAB5FA830DD29FE2A5" />
+    <Deny ID="ID_DENY_QMBSEC_E" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Page Sha1" Hash="96516702799451093DB85802491D70F20382DFDE" />
+    <Deny ID="ID_DENY_QMBSEC_F" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Page Sha256" Hash="0915820FC684225C54BBE9C0727E5E592EE7F10272C3BD8FCE055742C188305C" />
     <Deny ID="ID_DENY_RETLIFTEN_SHA1_1" FriendlyName="80.sys Hash Sha1" Hash="BC2F3850C7B858340D7ED27B90E63B036881FD6C" />
     <Deny ID="ID_DENY_RETLIFTEN_SHA1_2" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="E74B6DDA8BC53BC687FC21218BD34062A78D8467" />
     <Deny ID="ID_DENY_RETLIFTEN_SHA1_3" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="2C27ABBBBCF10DFB75AD79557E30ACE5ED314DF8" />
@@ -1171,6 +1295,56 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_WINIO_32" FriendlyName="PartnerTech WinIO\dc2b92f59fd8d059a58cc0761212f788d7041f708f4bd717d1738de909b4f781 Hash Sha256" Hash="5B6C10E103D42B17E5DDD6BEEC295BBF51CE56547134CE8D675A008A8243F615" />
     <Deny ID="ID_DENY_WINIO_33" FriendlyName="PartnerTech WinIO\dc2b92f59fd8d059a58cc0761212f788d7041f708f4bd717d1738de909b4f781 Hash Page Sha1" Hash="746414A878978FA039A6521F392167913CEA7C8D" />
     <Deny ID="ID_DENY_WINIO_34" FriendlyName="PartnerTech WinIO\dc2b92f59fd8d059a58cc0761212f788d7041f708f4bd717d1738de909b4f781 Hash Page Sha256" Hash="45DFA3B42C2789A741C5F29862A8CFC5998D889F96C5783C1A27AC03DE1A407A" />
+    <Deny ID="ID_DENY_WINIO_35" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Sha1" Hash="664F7E5EF393507A259362E6D7337407E44A3EDB" />
+    <Deny ID="ID_DENY_WINIO_36" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Sha256" Hash="2DCED5FB3F68F8E33D2454798FCDC5AFCB00EBD1BBB8968CAF274B8D9A3A1DFE" />
+    <Deny ID="ID_DENY_WINIO_37" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Page Sha1" Hash="CF3DF8311C7F241C56F4640D2C6A4A9BB20CD674" />
+    <Deny ID="ID_DENY_WINIO_38" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Page Sha256" Hash="CA87FD00ACDAA7FE36496C1EBD81F6F608ADBB60F41F9B02C6815580F4CE42AC" />
+    <Deny ID="ID_DENY_WINIO_39" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Sha1" Hash="1769C1E75D4131047771350AAF84AEA0A631A53C" />
+    <Deny ID="ID_DENY_WINIO_40" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Sha256" Hash="E9E8061F8E2C68C6F3E4A4D284CE9E8195140E531981C54F68ED7445D259B4DA" />
+    <Deny ID="ID_DENY_WINIO_41" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Page Sha1" Hash="50B55723B63BFECD05DBEB4C19C36AC8F9BEBD25" />
+    <Deny ID="ID_DENY_WINIO_42" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Page Sha256" Hash="14F25296EA3C6AE183BDAE04A0029BE2BB4D679089680FB2695904708A778CB2" />
+    <Deny ID="ID_DENY_WINIO_43" FriendlyName="WinIO\1f868677f2e6afd63b974908f793307a91329a6a413cfd726e85185507401afb Hash Sha1" Hash="67A8DF0F5962D4C93D4463BF79185F23502B8CEA" />
+    <Deny ID="ID_DENY_WINIO_44" FriendlyName="WinIO\1f868677f2e6afd63b974908f793307a91329a6a413cfd726e85185507401afb Hash Sha256" Hash="1E93ACD7C0ACCE3C39AC6303A8D914B5F8556C7C1E10EFDBBA18CCF75A41F36E" />
+    <Deny ID="ID_DENY_WINIO_45" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Sha1" Hash="7BCF1C28DEED9ECAD5DFBEC3A111297673C33AA7" />
+    <Deny ID="ID_DENY_WINIO_46" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Sha256" Hash="6A4E037EE84F83D3A4E84C35F09AE26D42F347FEC8ECF525553962EC24CEB2BE" />
+    <Deny ID="ID_DENY_WINIO_47" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Page Sha1" Hash="B23D319DBE769BF8DB0D5217A3523553072830E3" />
+    <Deny ID="ID_DENY_WINIO_48" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Page Sha256" Hash="F0158C28986F4A806F127DB70720462D8EF07F8EB7A7B8DE698896993365B517" />
+    <Deny ID="ID_DENY_WINIO_49" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Sha1" Hash="FDF79660BAE9C9DD54509FEC6C9F0E0A9BB2C1D5" />
+    <Deny ID="ID_DENY_WINIO_50" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Sha256" Hash="FF40D6714AC9C59A6D0E3A155586D6C51A3457F77BA1E2858D9804A0318178E7" />
+    <Deny ID="ID_DENY_WINIO_51" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Page Sha1" Hash="65EC6A3DB695FCD94DF5C8B41EEF67DE02031C96" />
+    <Deny ID="ID_DENY_WINIO_52" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Page Sha256" Hash="F74C91893BE76BE735CDBCA522405D0AE055326AE7D7082907FE1447FA196F2C" />
+    <Deny ID="ID_DENY_WINIO_53" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Sha1" Hash="8E93E37A72A13DAC1C4C0BC1DA6BDFB8BA8D9CB3" />
+    <Deny ID="ID_DENY_WINIO_54" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Sha256" Hash="5B6C10E103D42B17E5DDD6BEEC295BBF51CE56547134CE8D675A008A8243F615" />
+    <Deny ID="ID_DENY_WINIO_55" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Page Sha1" Hash="746414A878978FA039A6521F392167913CEA7C8D" />
+    <Deny ID="ID_DENY_WINIO_56" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Page Sha256" Hash="45DFA3B42C2789A741C5F29862A8CFC5998D889F96C5783C1A27AC03DE1A407A" />
+    <Deny ID="ID_DENY_WINIO_57" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Sha1" Hash="DB70C4C4BE791955F33977D85B30D9624E9270E3" />
+    <Deny ID="ID_DENY_WINIO_58" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Sha256" Hash="9F44E5C897EE06D92E7BEDC713DD369D85E084959C69CEEC25663A599FF5D5F8" />
+    <Deny ID="ID_DENY_WINIO_59" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Page Sha1" Hash="AAB02F7A7931442D2F46330E069ABF9B59DB3F3D" />
+    <Deny ID="ID_DENY_WINIO_60" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Page Sha256" Hash="9185576B594D33290237E72841F56D36A4F0D6668EC9094FB45C1F3957DF6A0C" />
+    <Deny ID="ID_DENY_WINIO_61" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Sha1" Hash="789C851AF232506F62BE108799065219427861C2" />
+    <Deny ID="ID_DENY_WINIO_62" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Sha256" Hash="D6399E43E24E4D2348008645F6E2176AEB2F0244A5E17028C152D87617E7BD0D" />
+    <Deny ID="ID_DENY_WINIO_63" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Page Sha1" Hash="5E699DF6F458A11CD8C2D59D083D2CA38A25F876" />
+    <Deny ID="ID_DENY_WINIO_64" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Page Sha256" Hash="E6E5B6C064338FBB222221EF3A8DEBE60E4ED0AAECCB5B03FECD0DC595AB3FC9" />
+    <Deny ID="ID_DENY_WINIO_65" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Sha1" Hash="651B953CB03928E41424AD59F21D4978D6F4952E" />
+    <Deny ID="ID_DENY_WINIO_66" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Sha256" Hash="EBBAA44277A3EC6E20AD3F6AEF5399FDC398306EB4C13AA96E45C9A281820A12" />
+    <Deny ID="ID_DENY_WINIO_67" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Page Sha1" Hash="3727D824713E733558A20DE9876AABF1059D3158" />
+    <Deny ID="ID_DENY_WINIO_68" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Page Sha256" Hash="88C83F618C8F4069DED87C409A8446C5A30E22A303E64AAFF1C5BE6302ADEDB4" />
+    <Deny ID="ID_DENY_WINIO_69" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Sha1" Hash="8522BD30B4028C43B747C96665F60AB920F341EA" />
+    <Deny ID="ID_DENY_WINIO_70" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Sha256" Hash="48EC0783D0A2AAF4956102479BA4DDFE9F760066D00E1C5B7F022A084951DC73" />
+    <Deny ID="ID_DENY_WINIO_71" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Page Sha1" Hash="9808DE8670677522E87FFEF1593D220E3619C7B9" />
+    <Deny ID="ID_DENY_WINIO_72" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Page Sha256" Hash="BC54AF722F57C3BD11EDAEDBF5979AA8D8A388A2D94E80E9E26311B61A11529A" />
+    <Deny ID="ID_DENY_WINIO_73" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Sha1" Hash="660DC4007F3C667BA97736C3C9A5E038CB473EE0" />
+    <Deny ID="ID_DENY_WINIO_74" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Sha256" Hash="669FF9649C66B4C61BD97EC4A83D6EBC8DA7736C039B2741D4E2D8310039977A" />
+    <Deny ID="ID_DENY_WINIO_75" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Page Sha1" Hash="118777DD5E34BDCE01B2A0C6720A4EB9DC4FEFFF" />
+    <Deny ID="ID_DENY_WINIO_76" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Page Sha256" Hash="E686804D2FF9ACEAD443A0B66DACD1780E4041A0ACAEDB3A78B91F52DCFF4824" />
+    <Deny ID="ID_DENY_WINIO_77" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Sha1" Hash="4AF05BCCDD9A1FFCF3DAF4DFE4A00FE6F1F257BE" />
+    <Deny ID="ID_DENY_WINIO_78" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Sha256" Hash="059EFDB03556258C34B6CB26FF4679DC7CD4CB797190FDDDF373B3F701EE55B7" />
+    <Deny ID="ID_DENY_WINIO_79" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Page Sha1" Hash="468B16FD87C346A1F5B11BDE450673F1D8866619" />
+    <Deny ID="ID_DENY_WINIO_80" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Page Sha256" Hash="186D287B669D813A727CBAAACDAA291FA1F16B1599122BA869622AE0C920F6B9" />
+    <Deny ID="ID_DENY_WINIO_81" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Sha1" Hash="7B3DB7D11456209A266F077F8E2D2B90E4F9118D" />
+    <Deny ID="ID_DENY_WINIO_82" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Sha256" Hash="2EBB1FE5DCEF9EC8629D56D30DDBA27D112C2CBFCED936D235FCDF078846DDC6" />
+    <Deny ID="ID_DENY_WINIO_83" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Page Sha1" Hash="929749666A53B35CC75A21B19C65E54671CC751E" />
+    <Deny ID="ID_DENY_WINIO_84" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Page Sha256" Hash="C39AB8DC5E4DA02FA2309B83FF4FDF63AEF20F33018DFDEFB7B0B12B92CFE86E" />
     <Deny ID="ID_DENY_WINRING0_SHA1" FriendlyName="WinRing0.sys Hash Sha1" Hash="12EB825418A932B1E4C6697DC7647E89AE52CF3F" />
     <Deny ID="ID_DENY_WINRING0_SHA256" FriendlyName="WinRing0.sys Hash Sha256" Hash="4582ADB2E67EEBAFF755AE740C1F24BC3AF78E0F28E8E8DECB99F86BF155AB23" />
     <Deny ID="ID_DENY_WINRING0_SHA1_PAGE" FriendlyName="WinRing0.sys Hash Page Sha1" Hash="497AFEB0D5B97D4B863704A2F77FFEF31220402D" />
@@ -1213,10 +1387,10 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_EIO64" FriendlyName="ASUS EIO64.sys\1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718 FileAttribute" FileName="EIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
     <FileAttrib ID="ID_FILEATTRIB_EELAM" FriendlyName="ESET eelam Overpermissive ELAM FileAttribute" FileName="eelam.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.16.0" />
     <FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
-    <FileAttrib ID="ID_FILEATTRIB_ETDSUPPORT" FriendlyName="HP EtdSupport\0d383e469d0e27ebb713770f01f7f1a57068a7d30478221e6f2276125048d1c9 FileAttribute" FileName="etdsupp.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_ETDSUPPORT" FriendlyName="HP EtdSupport\0d383e469d0e27ebb713770f01f7f1a57068a7d30478221e6f2276125048d1c9 FileAttribute" FileName="etdsupp.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="20.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_FAIRPLAY" FriendlyName="Deny FairplayKD.sys MTA San Andreas Versions 367.*" ProductName="MTA San Andreas" MinimumFileVersion="367.0.0.0" MaximumFileVersion="367.65535.65535.65535"/>
     <FileAttrib ID="ID_FILEATTRIB_GMER" FriendlyName="GMEREK gmer64 FileAttribute" FileName="gmer64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
-    <FileAttrib ID="ID_FILEATTRIB_HAXM" FriendlyName="haXM.sys FileAttribute" FileName="HaXM.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_HAXM" FriendlyName="haXM.sys FileAttribute" FileName="HaXM.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_HPPORTIOX64" FriendlyName="HpPortIox64.sys" FileName="HpPortIox64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.2.0.9" />
     <FileAttrib ID="ID_FILEATTRIB_HW" FriendlyName="hw_sys\4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8 FileAttribute" FileName="HW.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_HWINFO_1" FriendlyName="REALiX_HWiNFO32 FileAttribute" FileName="HWiNFO32.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.98.0.0" />
@@ -1225,7 +1399,7 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_HWRWDRV" FriendlyName="HwRwDrv FileAttribute" FileName="HwRwDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_IOBITUNLOCKER" FriendlyName="IObitUnlocker FileAttribute" FileName="IObitUnlocker.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.3.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_IOMEM" FriendlyName="DT Research iomem\2b507e0ad4515d9d47fb7f0bfa1f1eb11de25db4fca49fc1417ea991dc33b6bf FileAttribute" FileName="iomem.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
-    <FileAttrib ID="ID_FILEATTRIB_IQVW64" FriendlyName="IQVW64.sys FileAttribute" FileName="iQVW64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.4.0.0" />
+    <FileAttrib ID="ID_FILEATTRIB_IQVW64" FriendlyName="IQVW64.sys FileAttribute" FileName="iQVW64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.4.0.21" />
     <FileAttrib ID="ID_FILEATTRIB_KEVP64" FriendlyName="kevp64.sys FileAttribute" FileName="kEvP64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_LGCORETEMP" FriendlyName="LogiTech LgCoreTemp\93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131 FileAttribute" FileName="LgCoreTemp.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_LHA" FriendlyName="LHA.sys FileAttribute" FileName="LHA.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@@ -1241,6 +1415,7 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_NICM_DRIVER" FriendlyName="" FileName="NICM.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.11.0" />
     <FileAttrib ID="ID_FILEATTRIB_NSCM_DRIVER" FriendlyName="" FileName="nscm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.11.0" />
     <FileAttrib ID="ID_FILEATTRIB_NTIOLIB" FriendlyName="" FileName="NTIOLib.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
+    <FileAttrib ID="ID_FILEATTRIB_NVOCLOCK" FriendlyName="Nvidia nvoclock\29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36 FileAttribute" FileName="nvoclock.sys" MinimumFileVersion="7.0.0.32" />
     <FileAttrib ID="ID_FILEATTRIB_NVFLASH" FriendlyName="Nvidia NVFlash FileAttribute" FileName="nvflash.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.9.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_OPENLIBSYS" FriendlyName="OpenLibSys\91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c FileAttribute" FileName="OpenLibSys.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_PANIO_1" FriendlyName="PanIOx64\6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74 FileAttribute" FileName="PanIOx64.sys" MinimumFileVersion="1.0.0.1" />
@@ -1353,6 +1528,7 @@ To check that the policy was successfully applied on your computer:
       <FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NVOCLOCK" />
       <FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NCHGBIOS2X64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
@@ -1476,6 +1652,7 @@ To check that the policy was successfully applied on your computer:
       <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_MTCBSV64" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NVOCLOCK" />
       <FileAttribRef RuleID="ID_FILEATTRIB_PCDOC" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ZEMANA_1" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ZEMANA_2" />
@@ -1994,6 +2171,11 @@ To check that the policy was successfully applied on your computer:
       <CertPublisher Value="HP Inc." />
       <FileAttribRef RuleID="ID_FILEATTRIB_ETDSUPPORT" />
     </Signer>
+    <Signer ID="ID_SIGNER_NVOCLOCK" Name="GeoTrust TrustCenter CodeSigning CA I">
+      <CertRoot Type="TBS" Value="172F39BCA3DDA7C6D5169C96B34A5FE7E96FF0BD" />
+      <CertPublisher Value="Micro-Star Int'l Co., Ltd." />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NVOCLOCK" />
+    </Signer>
     <Signer ID="ID_SIGNER_CPUZ_1" Name="DigiCert EV Code Signing CA">
       <CertRoot Type="TBS" Value="2D54C16A8F8B69CCDEA48D0603C132F547A5CF75" />
       <CertPublisher Value="CPUID S.A.R.L.U." />
@@ -2195,6 +2377,7 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_NVFLASH" />
           <DeniedSigner SignerId="ID_SIGNER_NVFLASH_2" />
           <DeniedSigner SignerId="ID_SIGNER_NVFLASH_3" />
+          <DeniedSigner SignerId="ID_SIGNER_NVOCLOCK" />
           <DeniedSigner SignerId="ID_SIGNER_OPENLIBSYS"/>
           <DeniedSigner SignerId="ID_SIGNER_PAN" />
           <DeniedSigner SignerId="ID_SIGNER_PAVEL_Y_1" />
@@ -2811,6 +2994,10 @@ To check that the policy was successfully applied on your computer:
           <FileRuleRef RuleID="ID_DENY_EIO64_6" />
           <FileRuleRef RuleID="ID_DENY_EIO64_7" />
           <FileRuleRef RuleID="ID_DENY_EIO64_8" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_1" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_2" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_3" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_4" />
           <FileRuleRef RuleID="ID_DENY_HW_22" />
           <FileRuleRef RuleID="ID_DENY_HW_23" />
           <FileRuleRef RuleID="ID_DENY_HW_24" />
@@ -2840,6 +3027,90 @@ To check that the policy was successfully applied on your computer:
           <FileRuleRef RuleID="ID_DENY_INPOUTX_21" />
           <FileRuleRef RuleID="ID_DENY_INPOUTX_22" />
           <FileRuleRef RuleID="ID_DENY_INPOUTX_23" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4" />
+          <FileRuleRef RuleID="ID_DENY_IREC_5" />
+          <FileRuleRef RuleID="ID_DENY_IREC_6" />
+          <FileRuleRef RuleID="ID_DENY_IREC_7" />
+          <FileRuleRef RuleID="ID_DENY_IREC_8" />
+          <FileRuleRef RuleID="ID_DENY_IREC_9" />
+          <FileRuleRef RuleID="ID_DENY_IREC_A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_10" />
+          <FileRuleRef RuleID="ID_DENY_IREC_11" />
+          <FileRuleRef RuleID="ID_DENY_IREC_12" />
+          <FileRuleRef RuleID="ID_DENY_IREC_13" />
+          <FileRuleRef RuleID="ID_DENY_IREC_14" />
+          <FileRuleRef RuleID="ID_DENY_IREC_15" />
+          <FileRuleRef RuleID="ID_DENY_IREC_16" />
+          <FileRuleRef RuleID="ID_DENY_IREC_17" />
+          <FileRuleRef RuleID="ID_DENY_IREC_18" />
+          <FileRuleRef RuleID="ID_DENY_IREC_19" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_20" />
+          <FileRuleRef RuleID="ID_DENY_IREC_21" />
+          <FileRuleRef RuleID="ID_DENY_IREC_22" />
+          <FileRuleRef RuleID="ID_DENY_IREC_23" />
+          <FileRuleRef RuleID="ID_DENY_IREC_24" />
+          <FileRuleRef RuleID="ID_DENY_IREC_25" />
+          <FileRuleRef RuleID="ID_DENY_IREC_26" />
+          <FileRuleRef RuleID="ID_DENY_IREC_27" />
+          <FileRuleRef RuleID="ID_DENY_IREC_28" />
+          <FileRuleRef RuleID="ID_DENY_IREC_29" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_30" />
+          <FileRuleRef RuleID="ID_DENY_IREC_31" />
+          <FileRuleRef RuleID="ID_DENY_IREC_32" />
+          <FileRuleRef RuleID="ID_DENY_IREC_33" />
+          <FileRuleRef RuleID="ID_DENY_IREC_34" />
+          <FileRuleRef RuleID="ID_DENY_IREC_35" />
+          <FileRuleRef RuleID="ID_DENY_IREC_36" />
+          <FileRuleRef RuleID="ID_DENY_IREC_37" />
+          <FileRuleRef RuleID="ID_DENY_IREC_38" />
+          <FileRuleRef RuleID="ID_DENY_IREC_39" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_40" />
+          <FileRuleRef RuleID="ID_DENY_IREC_41" />
+          <FileRuleRef RuleID="ID_DENY_IREC_42" />
+          <FileRuleRef RuleID="ID_DENY_IREC_43" />
+          <FileRuleRef RuleID="ID_DENY_IREC_44" />
+          <FileRuleRef RuleID="ID_DENY_IREC_45" />
+          <FileRuleRef RuleID="ID_DENY_IREC_46" />
+          <FileRuleRef RuleID="ID_DENY_IREC_47" />
+          <FileRuleRef RuleID="ID_DENY_IREC_48" />
+          <FileRuleRef RuleID="ID_DENY_IREC_49" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_50" />
+          <FileRuleRef RuleID="ID_DENY_IREC_51" />
+          <FileRuleRef RuleID="ID_DENY_IREC_52" />
+          <FileRuleRef RuleID="ID_DENY_IREC_53" />
+          <FileRuleRef RuleID="ID_DENY_IREC_54" />
           <FileRuleRef RuleID="ID_DENY_KLMD" />
           <FileRuleRef RuleID="ID_DENY_LGCORETEMP_1" />
           <FileRuleRef RuleID="ID_DENY_LGCORETEMP_2" />
@@ -3039,6 +3310,26 @@ To check that the policy was successfully applied on your computer:
           <FileRuleRef RuleID="ID_DENY_NVFLASH_6A" />
           <FileRuleRef RuleID="ID_DENY_NVFLASH_6B" />
           <FileRuleRef RuleID="ID_DENY_NVFLASH_6C" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_1" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_2" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_3" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_4" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_5" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_6" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_7" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_8" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_9" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_10" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_11" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_12" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_13" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_14" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_15" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_16" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_17" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_18" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_19" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_20" />
           <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_1" />
           <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_2" />
           <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_3" />
@@ -3065,6 +3356,22 @@ To check that the policy was successfully applied on your computer:
           <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA256" />
           <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA1_PAGE" />
           <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_0" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_1" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_2" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_3" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_4" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_5" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_6" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_7" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_8" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_9" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_A" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_B" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_C" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_D" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_E" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_F" />
           <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1" />
           <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256" />
           <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1_PAGE" />
@@ -3325,6 +3632,56 @@ To check that the policy was successfully applied on your computer:
           <FileRuleRef RuleID="ID_DENY_WINIO_32" />
           <FileRuleRef RuleID="ID_DENY_WINIO_33" />
           <FileRuleRef RuleID="ID_DENY_WINIO_34" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_35" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_36" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_37" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_38" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_39" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_40" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_41" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_42" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_43" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_44" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_45" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_46" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_47" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_48" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_49" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_50" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_51" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_52" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_53" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_54" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_55" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_56" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_57" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_58" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_59" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_60" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_61" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_62" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_63" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_64" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_65" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_66" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_67" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_68" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_69" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_70" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_71" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_72" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_73" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_74" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_75" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_76" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_77" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_78" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_79" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_80" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_81" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_82" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_83" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_84" />
           <FileRuleRef RuleID="ID_DENY_PROCESSHACKER" />
           <FileRuleRef RuleID="ID_DENY_AMP" />
           <FileRuleRef RuleID="ID_DENY_ASMMAP" />
@@ -3357,7 +3714,7 @@ To check that the policy was successfully applied on your computer:
     </Setting>
     <Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
       <Value>
-        <String>10.0.25930.0</String>
+        <String>10.0.25965.0</String>
       </Value>
     </Setting>
   </Settings>
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index a5798f2f02..68d101d832 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -47,6 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.<br/> NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
 | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.<br/> NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
 | **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
+| **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
 
 ## Windows Defender Application Control file rule levels
 
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
index 170525c906..729ecd07ee 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
@@ -1,42 +1,71 @@
 ---
-title: Managing CI Policies and Tokens with CiTool
-description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
-ms.topic: how-to
-ms.date: 04/05/2023
+title: Managing CI policies and tokens with CiTool
+description: Learn how to use policy commands, token commands, and miscellaneous commands in CiTool
+ms.topic: reference
+ms.date: 10/02/2023
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
 
 # CiTool technical reference
 
-CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins.  CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CiTool to update and manage policies.  CiTool is currently included as part of the Windows image in Windows 11 version 22H2.
+CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. You can use this tool to manage Windows Defender Application Control policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2.
 
-## Policy Commands
+## Policy commands
 
 | Command | Description | Alias |
 |--------|---------|---------|
-| --update-policy `</Path/To/Policy/File>` | Add or update a policy on the current system | -up |
-| --remove-policy `<PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system | -rp |
-| --list-policies | Dump information about all policies on the system, whether they're active or not | -lp |
+| `--update-policy </Path/To/Policy/File>` | Add or update a policy on the current system. | `-up` |
+| `--remove-policy <PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system. | `-rp` |
+| `--list-policies` | Dump information about all policies on the system, whether they're active or not. | `-lp` |
 
-## Token Commands
+## Token commands
 
 | Command | Description | Alias |
 |--------|---------|---------|
-| --add-token `<Path/To/Token/File>` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at |
-| --remove-token `<ID>` | Remove a Token indicated by ID from the system. | -rt |
-| --list-tokens | Dump information about all tokens on the system | -lt |
+| `--add-token <Path/To/Token/File> <--token-id ID>` | Deploy a token onto the current system, with an optional specific ID. | `-at` |
+| `--remove-token <ID>` | Remove a token indicated by ID from the system. | `-rt` |
+| `--list-tokens` | Dump information about all tokens on the system. | `-lt` |
 
 > [!NOTE]
-> Regarding `--add-token`, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
+> Regarding `--add-token`, if `<ID>` is specified, a pre-existing token with `<ID>` shouldn't exist.
 
-## Miscellaneous Commands
+## Miscellaneous commands
 
 | Command | Description | Alias |
 |--------|---------|---------|
-| --device-id | Dump the Code Integrity Device ID | -id |
-| --refresh | Attempt to Refresh WDAC Policies | -r |
-| --help | Display the tool's help menu | -h |
+| `--device-id` | Dump the code integrity device ID. | `-id` |
+| `--refresh` | Attempt to refresh WDAC policies. | `-r` |
+| `--help` | Display the tool's help menu. | `-h` |
+
+## Output attributes and descriptions
+
+### List policies (`--list-policies`)
+
+```output
+    Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
+    Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
+    Friendly Name: Microsoft Windows Driver Policy
+    Version: 2814751463178240
+    Platform Policy: true
+    Policy is Signed: true
+    Has File on Disk: false
+    Is Currently Enforced: true
+    Is Authorized: true
+    Status: 0
+```
+
+| Attribute | Description | Example value |
+|--------|---------|---------|
+| Policy ID | Lists the ID of the policy. | `d2bda982-ccf6-4344-ac5b-0b44427b6816` |
+| Base Policy ID | Lists the ID of the base policy. | `d2bda982-ccf6-4344-ac5b-0b44427b6816` |
+| Friendly Name | Value listed in `<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">` | `Microsoft Windows Driver Policy` |
+| Version | Version of the policy listed in `<VersionEx>` | `2814751463178240` |
+| Platform Policy | Indicates whether the policy is provided by Microsoft, for example in the vulnerable driver blocklist policy. | `true` |
+| Policy is Signed | Indicates whether the policy has a valid signature. | `true` |
+| Has File on Disk | Indicates whether the policy file is currently on the disk. | `false` |
+| Is Currently Enforced | Indicates whether the policy file is active. | `true` |
+| Is Authorized | If the policy requires a token to be activated, this value is the state of authorization for the token. If the policy doesn't require a token, this value matches the value for the **Is Currently Enforced** property. | `true` |
 
 ## Examples
 
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-security/toc.yml
index 7c46b6e146..4132706858 100644
--- a/windows/security/cloud-security/toc.yml
+++ b/windows/security/cloud-security/toc.yml
@@ -1,7 +1,7 @@
 items:
 - name: Overview
   href: index.md
-- name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
+- name: Join Active Directory and Microsoft Entra ID with single sign-on (SSO) 🔗
   href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗
   href: /mem/intune/protect/security-baselines
@@ -15,4 +15,3 @@ items:
   href: /windows/deployment/windows-autopatch
 - name: Windows Autopilot 🔗
   href: /windows/deployment/windows-autopilot
-
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 817a43769a..040348819b 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -65,7 +65,10 @@
         "dstrome",
         "v-dihans",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": [
         "Windows 10"
@@ -235,4 +238,4 @@
     "dest": "security",
     "markdownEngineName": "markdig"
   }
-}
\ No newline at end of file
+}
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 17cc685415..a3404e644a 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -49,8 +49,6 @@ To enable memory integrity on Windows devices with supporting hardware throughou
 
 Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
 
-To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
-
 ### Enable memory integrity using Intune
 
 Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).
diff --git a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
index b150c5e788..e75ebe55d6 100644
--- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@@ -57,7 +57,7 @@ For TPM-based virtual smart cards, the TPM protects the use and storage of the c
 
 Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
 
-The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Entra account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
index a4d4b53a79..afea335006 100644
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -104,7 +104,7 @@ The following table defines which Windows features require TPM support.
  Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
  Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
  Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
  UEFI Secure Boot | No | Yes | Yes
  TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
  Virtual Smart Card | Yes | Yes | Yes
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index efbf40ef92..0cc106f7cb 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -39,7 +39,7 @@ This content set contains:
   - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
   - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 
-[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+[!INCLUDE [access-control-aclsacl](../../../../includes/licensing/access-control-aclsacl.md)]
 
 ## Practical applications
 
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 26ee36124b..dbf52336f8 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -209,19 +209,6 @@ The following issue affects the Java GSS API. See the following Oracle bug datab
 
 When Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements).
 
-The following issue affects McAfee Application and Change Control (MACC):
-
-- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869)
-
-The following issue affects Citrix applications:
-
-- Windows machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
-
-> [!NOTE]
-> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
->
-> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes).
-
 #### Vendor support
 
 The following products and services don't support Credential Guard:
diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index 69eef9c3f9..f69a8b0486 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -28,7 +28,7 @@ Some ways to store credentials aren't protected by Credential Guard, including:
 - Third-party security packages
 - When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
     > [!CAUTION]
-    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.
 - Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well
 - Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected
 - When Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index cf9c8484b0..a99c25dc3c 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -30,7 +30,7 @@ The policy setting has three components:
 ## Configure unlock factors
 
 > [!CAUTION]
-> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock.
+> When the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock.
 
 The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 64d320047f..58eac4892c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,9 +1,8 @@
 ---
 title: Windows Hello for Business cloud-only deployment
 description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 06/23/2021
+ms.date: 10/03/2023
 ms.topic: how-to
-ms.custom: has-azure-ad-ps-ref
 ---
 # Cloud-only deployment
 
@@ -11,34 +10,34 @@ ms.custom: has-azure-ad-ps-ref
 
 ## Introduction
 
-When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, there's no additional configuration needed.
+When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
 
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
+You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
 
 > [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 
 ## Prerequisites
 
-Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
 
-Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 
-Check and view this setting with the following MSOnline PowerShell command:
+```powershell
+Connect-MgGraph
+$DomainId = "<your federated domain name>"
+Get-MgDomainFederationConfiguration -DomainId $DomainId |fl
+```
 
-`Get-MsolDomainFederationSettings -DomainName <your federated domain name>`
+To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain.
 
-To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
+```powershell
+Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
+```
 
-`Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
-
-Example:
-
-`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
-
-If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
+If you use configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
 
 ## Use Intune to disable Windows Hello for Business enrollment
 
@@ -59,11 +58,11 @@ The following method explains how to disable Windows Hello for Business enrollme
 
 ## Disable Windows Hello for Business enrollment without Intune
 
-If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Azure AD Joined only, and not domain joined, these settings can also be made manually in the registry.
+If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Microsoft Entra joined only, and not domain joined, these settings can also be made manually in the registry.
 
 Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 
-To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
 
 ```msgraph-interactive
 GET https://graph.microsoft.com/v1.0/organization?$select=id
@@ -83,12 +82,3 @@ These registry settings can be applied from Local or Group Policies:
 - Value = **0** for Disable or Value = **1** for Enable
 
 If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
-
-## Related reference documents for Azure AD join scenarios
-
-- [Azure AD-joined devices](/azure/active-directory/devices/concept-azure-ad-join)
-- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
-- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
-- [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin)
-- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
-- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 83576f884f..087d2813e3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,6 +1,6 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
-description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
+description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
 ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
@@ -11,21 +11,21 @@ appliesto:
 ms.topic: tutorial
 ---
 
-# Validate and deploy multi-factor authentication - on-premises certificate trust
+# Validate and deploy multifactor authentication - on-premises certificate trust
 
 [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
 
-Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
+Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
 - third-party authentication providers for AD FS
 - custom authentication provider for AD FS
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
 
 For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method).
 
-Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
+> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index aef79952c9..8b24e78f64 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -30,9 +30,9 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
 
 ## Deployment and trust models
 
-Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
+Windows Hello for Business has three deployment models: Microsoft Entra cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
 
-Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
+Hybrid deployments are for enterprises that use Microsoft Entra ID. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Microsoft Entra ID must use the hybrid deployment model for all domains in that forest.
 
 The trust model determines how you want users to authenticate to the on-premises Active Directory:
 
@@ -46,14 +46,14 @@ The trust model determines how you want users to authenticate to the on-premises
 
 Following are the various deployment guides and models included in this topic:
 
-- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
-- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined Key Trust Deployment](hello-hybrid-key-trust.md)
+- [Microsoft Entra hybrid joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
+- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
 - [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
 - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 7882589fd0..b5c4e51668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -8,13 +8,15 @@ ms.topic: troubleshooting
 
 The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.
 
-## PIN reset on Azure AD join devices fails with *We can't open that page right now* error
+<a name='pin-reset-on-azure-ad-join-devices-fails-with-we-cant-open-that-page-right-now-error'></a>
 
-PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
+## PIN reset on Microsoft Entra join devices fails with *We can't open that page right now* error
+
+PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
 
 ### Identify PIN Reset allowed domains issue
 
-The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Azure AD Join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Azure AD credentials and completes MFA.
+The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
 
 In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
 
@@ -22,7 +24,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to
 
 ### Resolve PIN Reset allowed domains issue
 
-To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Azure AD joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
+To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
 
 ## Hybrid key trust sign in broken due to user public key deletion
 
@@ -32,11 +34,11 @@ Applies to:
 - Windows Server 2016, builds 14393.3930 to 14393.4048
 - Windows Server 2019, builds 17763.1457 to 17763.1613
 
-In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Azure AD Connect delta sync cycle.
+In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Microsoft Entra Connect delta sync cycle.
 
 ### Identify user public key deletion issue
 
-After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object.
+After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Microsoft Entra ID to Active Directory during a Microsoft Entra Connect Sync cycle. The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object.
 
 Before the user's Windows Hello for Business key syncs, sign-ins with Windows Hello for Business fail with the error message *That option is temporarily unavailable. For now, please use a different method to sign in.* After the key syncs successfully, the user can sign in and unlock with their PIN or enrolled biometrics.
 
@@ -48,14 +50,16 @@ After the initial sign-in attempt, the user's Windows Hello for Business public
 
 To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
 
-## Azure AD joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
+<a name='azure-ad-joined-device-access-to-on-premises-resources-using-key-trust-and-third-party-certificate-authority-ca'></a>
+
+## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
 
 Applies to:
 
-- Azure AD joined key trust deployments
+- Microsoft Entra joined key trust deployments
 - Third-party certificate authority (CA) issuing domain controller certificates
 
-Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
+Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from a Microsoft Entra joined device does require special configuration when using a third-party CA to issue domain controller certificates.
 
 For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
 
@@ -104,7 +108,7 @@ Domain controllers running early versions of Windows Server 2019 have an issue t
 
 On the client, authentication with Windows Hello for Business fails with the error message, *That option is temporarily unavailable. For now, please use a different method to sign in.*
 
-The error is presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Azure AD to AD. If a user's key isn't synced from Azure AD and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs.
+The error is presented on Microsoft Entra hybrid joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Microsoft Entra ID to Active Directory. If a user's key isn't synced from Microsoft Entra ID and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs.
 
 Another indicator of the failure can be identified using network traces. If you capture network traces for a key trust sign-in event, the traces show Kerberos failing with the error *KDC_ERR_CLIENT_NAME_MISMATCH*.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 65be112a27..315ce4361f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -18,13 +18,13 @@ This document describes Windows Hello for Business functionalities or scenarios
 Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
 
 - Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
-- Deploy certificates to hybrid or Azure AD-joined devices using Intune
+- Deploy certificates to hybrid or Microsoft Entra joined devices using Intune
 - Work with third-party PKIs
 
 ## Deploy certificates via Active Directory Certificate Services (AD CS)
 
 > [!NOTE]
-> This process is applicable to *hybrid Azure AD joined* devices only.
+> This process is applicable to *Microsoft Entra hybrid joined* devices only.
 
 To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
 
@@ -77,7 +77,7 @@ Follow these steps to create a certificate template:
 
 ### Request a certificate
 
-1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
+1. Sign in to a client that is Microsoft Entra hybrid joined, ensuring that the client has line of sight to a domain controller and the issuing CA
 1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
 1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
 1. On the Certificate Enrollment screen, select **Next**
@@ -88,17 +88,17 @@ Follow these steps to create a certificate template:
 ## Deploy certificates via Intune
 
 > [!CAUTION]
-> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
+> This process is applicable to both *Microsoft Entra joined* and *Microsoft Entra hybrid joined* devices that are managed via Intune.
 >
 > If you deploy certificates via Intune and configure Windows Hello for Business via group policy, the devices will fail to obtain a certificate, logging the error code `0x82ab0011` in the `DeviceManagement-Enterprise-Diagnostic-Provider` log.\
 > To avoid the error, configure Windows Hello for Business via Intune instead of group policy.
 
-Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
+Deploying a certificate to Microsoft Entra joined or Microsoft Entra hybrid joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
 
 - [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
 - [Configure and use PKCS certificates with Intune][MEM-2]
 
-Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
+Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Microsoft Entra joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
 
 Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index e63b129275..d048d6409f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -22,15 +22,15 @@ When a user encounters an error when creating the work PIN, advise the user to t
 1. Try to create the PIN again. Some errors are transient and resolve themselves.
 2. Sign out, sign in, and try to create the PIN again.
 3. Reboot the device and then try to create the PIN again.
-4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
+4. Unjoin the device from Microsoft Entra ID, rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
 
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
 | Hex        | Cause                                                              | Mitigation                                  |
 | :--------- | :----------------------------------------------------------------- | :------------------------------------------ |
-| 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Azure AD and rejoin. |
-| 0x8009000F | The container or key already exists.                               | Unjoin the device from Azure AD and rejoin. |
-| 0x80090011 | The container or key was not found.                                | Unjoin the device from Azure AD and rejoin. |
+| 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Microsoft Entra ID and rejoin. |
+| 0x8009000F | The container or key already exists.                               | Unjoin the device from Microsoft Entra ID and rejoin. |
+| 0x80090011 | The container or key was not found.                                | Unjoin the device from Microsoft Entra ID and rejoin. |
 | 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
 | 0x8009002A | NTE\_NO\_MEMORY                                                    | Close programs which are taking up memory and try again. |
 | 0x80090031 | NTE\_AUTHENTICATION\_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
@@ -50,11 +50,11 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C03EA | Server failed to authorize user or device.                         | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
 | 0x801C03EB | Server response http status is not valid                           | Sign out and then sign in again. |
 | 0x801C03EC | Unhandled exception from server.                                   | sign out and then sign in again. |
-| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Azure AD under Azure AD Device settings.
+| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings.
 | 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
 | 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
-| 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
+| 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Microsoft Entra ID and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
 | 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| 
@@ -86,6 +86,5 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801C03F0  | ​There is no key registered for the user. |
 | 0x801C03F1  | ​There is no UPN in the token. |
 | ​0x801C044C  | There is no core window for the current thread. |
-| 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
+| 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Microsoft Entra token for provisioning. Unable to enroll a device to use a PIN for login. |
 | 0xCAA30193  | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index ca9a3ac20d..661971662b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -36,7 +36,7 @@ sections:
       - question: What's a container?
         answer: |
           In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
-          The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
+          The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID.
           
           > [!NOTE]
           > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
@@ -46,7 +46,7 @@ sections:
 
           Containers can contain several types of key material:
             - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
-            - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+            - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
               - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
               - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI.
       - question: How are keys protected?
@@ -54,7 +54,7 @@ sections:
           Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IDP before the IDP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
       - question: How does PIN caching work with Windows Hello for Business?
         answer: |
-          Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. 
+          Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. 
           
           Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. 
           
@@ -70,9 +70,9 @@ sections:
           Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
       - question: What's the difference between non-destructive and destructive PIN reset?
         answer: |
-          Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
+          Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Microsoft Entra ID can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
           
-          Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then  performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
+          Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then  performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For Microsoft Entra hybrid joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
       - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
         answer: |
           Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
@@ -123,7 +123,7 @@ sections:
           No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
       - question: What is Event ID 300?
         answer: |
-          This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
+          This event is created when Windows Hello for Business is successfully created and registered with Microsoft Entra ID. Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
       - question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
         answer: |
           The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
@@ -142,12 +142,12 @@ sections:
       - question: How many users can enroll for Windows Hello for Business on a single Windows device?
         answer: |
           The maximum number of supported enrollments on a single device is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, or for users that sign-in to many devices (for example, a support technician), it's recommended the use of FIDO2 security keys.
-      - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
+      - question: I have extended Active Directory to Microsoft Entra ID. Can I use the on-premises deployment model?
         answer: |
           No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
-      - question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
+      - question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
         answer: |
-          Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
+          Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
       - question: Can I use third-party MFA providers with Windows Hello for Business?
         answer: |
           Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
@@ -170,27 +170,27 @@ sections:
       - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
         answer: |
           Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
-      - question: How does Windows Hello for Business work with Azure AD registered devices?
+      - question: How does Windows Hello for Business work with Microsoft Entra registered devices?
         answer: |
-          A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices  if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
+          A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices  if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
 
-          If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. 
+          If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. 
 
-          It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. 
+          It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. 
 
-          For more information, please read [Azure AD registered devices](/azure/active-directory/devices/concept-azure-ad-register).
+          For more information, please read [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
       - question: Does Windows Hello for Business work with non-Windows operating systems?
         answer: |
           Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
-      - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
+      - question: Does Windows Hello for Business work with Microsoft Entra Domain Services clients?
         answer: |
-          No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.
+          No, Microsoft Entra Domain Services is a separately managed environment in Azure, and hybrid device registration with cloud Microsoft Entra ID isn't available for it via Microsoft Entra Connect. Hence, Windows Hello for Business doesn't work with Microsoft Entra Domain Services.
       - question: Is Windows Hello for Business considered multifactor authentication?
         answer: |
           Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
 
           > [!NOTE]
-          > The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
+          > The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
       - question: Which is a better or more secure for of authentication, key or certificate?
         answer: |
           Both types of authentication provide the same security; one is not more secure than the other.
@@ -200,9 +200,9 @@ sections:
       - question: What is convenience PIN?
         answer: |
           *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs.
-      - question: Can I use a convenience PIN with Azure Active Directory?
+      - question: Can I use a convenience PIN with Microsoft Entra ID?
         answer: |
-          No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
+          No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
       - question: What about virtual smart cards?
         answer: |
           Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
@@ -231,7 +231,7 @@ sections:
     questions:
       - question: What is Windows Hello for Business cloud Kerberos trust?
         answer: |
-          Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+          Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
       - question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
         answer: |
           This feature doesn't work in a pure on-premises AD domain services environment.
@@ -254,7 +254,7 @@ sections:
     questions:
       - question: Why does authentication fail immediately after provisioning hybrid key trust?
         answer: |
-          In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
+          In a hybrid deployment, a user's public key must sync from Microsoft Entra ID to Active Directory before it can be used to authenticate against a domain controller. This sync is handled by Microsoft Entra Connect and will occur during a normal sync cycle.
       - question: Can I use Windows Hello for Business key trust and RDP?
         answer: |
           Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index ab35e717f2..bf642eef73 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -26,7 +26,7 @@ Windows Hello for Business provides the capability for users to reset forgotten
 - Hybrid or cloud-only Windows Hello for Business deployments
 - Windows Enterprise, Education and Pro editions. There's no licensing requirement for this feature
 
-When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
+When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Microsoft Entra ID, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
 
 Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN reset service, which enables users to reset their forgotten PIN without requiring re-enrollment.
 
@@ -35,15 +35,17 @@ The following table compares destructive and non-destructive PIN reset:
 |Category|Destructive PIN reset|Non-Destructive PIN reset|
 |--- |--- |--- |
 |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
-|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
-|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for hybrid Azure AD joined and Azure AD Joined devices.|
+|**Microsoft Entra joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
+|**Microsoft Entra hybrid joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
+|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Microsoft Entra identities, so it's only available for Microsoft Entra hybrid joined and Microsoft Entra joined devices.|
 |**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.|
 |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
 
-## Enable the Microsoft PIN Reset Service in your Azure AD tenant
+<a name='enable-the-microsoft-pin-reset-service-in-your-azure-ad-tenant'></a>
 
-Before you can use non-destructive PIN reset, you must register two applications in your Azure Active Directory tenant:
+## Enable the Microsoft PIN Reset Service in your Microsoft Entra tenant
+
+Before you can use non-destructive PIN reset, you must register two applications in your Microsoft Entra tenant:
 
 - Microsoft Pin Reset Service Production
 - Microsoft Pin Reset Client Production
@@ -52,7 +54,7 @@ To register the applications, follow these steps:
 
 :::row:::
   :::column span="3":::
-  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
+  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pinreset/pin-reset-service-prompt.png" lightbox="images/pinreset/pin-reset-service-prompt.png" border="true":::
@@ -60,7 +62,7 @@ To register the applications, follow these steps:
 :::row-end:::
 :::row:::
   :::column span="3":::
-  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
+  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pinreset/pin-reset-client-prompt.png" lightbox="images/pinreset/pin-reset-client-prompt.png" border="true":::
@@ -70,7 +72,7 @@ To register the applications, follow these steps:
   :::column span="3":::
   3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization.
   >[!NOTE]
-  >After accepance, the redirect page will show a blank page. This is a known behavior.
+  >After acceptance, the redirect page will show a blank page. This is a known behavior.
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true":::
@@ -80,7 +82,7 @@ To register the applications, follow these steps:
 ### Confirm that the two PIN Reset service principals are registered in your tenant
 
 1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
-1. Select **Azure Active Directory > Applications > Enterprise applications**
+1. Select **Microsoft Entra ID > Applications > Enterprise applications**
 1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list
    :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png":::
 
@@ -116,7 +118,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 | `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True |
 
 >[!NOTE]
-> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
+> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
 
 ```msgraph-interactive
 GET https://graph.microsoft.com/v1.0/organization?$select=id
@@ -177,12 +179,14 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
 +----------------------------------------------------------------------+
 ```
 
-## Configure allowed URLs for federated identity providers on Azure AD joined devices
+<a name='configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices'></a>
 
-**Applies to:** Azure AD joined devices
+## Configure allowed URLs for federated identity providers on Microsoft Entra joined devices
 
-PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
-If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+**Applies to:** Microsoft Entra joined devices
+
+PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
+If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
 
 [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -199,14 +203,14 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 | <li> OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` </li><li>Data type: String </li><li>Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**</li>|
 
 > [!NOTE]
-> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
+> For Azure Government, there is a known issue with PIN reset on Microsoft Entra joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
 
 ## Use PIN reset
 
 Destructive and non-destructive PIN reset scenarios use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen with the *PIN credential provider*. Users must authenticate and complete multi-factor authentication to reset their PIN. After PIN reset is complete, users can sign in using their new PIN.
 
 >[!IMPORTANT]
->For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
+>For Microsoft Entra hybrid joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
 
 ### Reset PIN from Settings
 
@@ -216,7 +220,7 @@ Destructive and non-destructive PIN reset scenarios use the same steps for initi
 
 ### Reset PIN from the lock screen
 
-For Azure AD-joined devices:
+For Microsoft Entra joined devices:
 
 1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon
 1. Select **I forgot my PIN** from the PIN credential provider
@@ -226,7 +230,7 @@ For Azure AD-joined devices:
 
 :::image type="content" alt-text="Animation showing the PIN reset experience from the lock screen." source="images/pinreset/pin-reset.gif" border="false":::
 
-For Hybrid Azure AD-joined devices:
+For Microsoft Entra hybrid joined devices:
 
 1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon
 1. Select **I forgot my PIN** from the PIN credential provider
@@ -235,9 +239,9 @@ For Hybrid Azure AD-joined devices:
 1. When finished, unlock your desktop using your newly created PIN
 
 > [!NOTE]
-> Key trust on hybrid Azure AD-joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
+> Key trust on Microsoft Entra hybrid joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
 
-You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 
 <!--links-->
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 58e5c14636..8e7e89b38e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -12,7 +12,7 @@ ms.collection:
 **Requirements**
 
 - Hybrid and On-premises Windows Hello for Business deployments
-- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Microsoft Entra joined, Microsoft Entra hybrid joined, and Enterprise joined devices
 
 Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection.
 
@@ -23,7 +23,7 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
 **Requirements**
 
 - Hybrid and On-premises Windows Hello for Business deployments
-- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Microsoft Entra joined, Microsoft Entra hybrid joined, and Enterprise joined devices
 - Biometric enrollments
 
 The ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric is on by default.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 313d215066..af0ff0de5a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -6,75 +6,87 @@ ms.topic: reference
 ---
 # Windows Hello for Business authentication
 
-Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
+Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Microsoft Entra ID and Active Directory resources.
 
-Azure AD-joined devices authenticate to Azure AD during sign-in and can, optionally, authenticate to Active Directory. Hybrid Azure AD-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure AD in the background.
+Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in and can, optionally, authenticate to Active Directory. Microsoft Entra hybrid joined devices authenticate to Active Directory during sign-in, and authenticate to Microsoft Entra ID in the background.
 
-## Azure AD join authentication to Azure AD
+<a name='azure-ad-join-authentication-to-azure-ad'></a>
 
-![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png)
+## Microsoft Entra join authentication to Microsoft Entra ID
+
+![Microsoft Entra join authentication to Microsoft Entra ID.](images/howitworks/auth-aadj-cloud.png)
 
 > [!NOTE]
-> All Azure AD-joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
+> All Microsoft Entra joined devices authenticate with Windows Hello for Business to Microsoft Entra ID the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
 
 | Phase  | Description  |
 | :----: | :----------- |
 |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
-|B | The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
-|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  Azure AD then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
+|B | The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
+|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
 |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
-## Azure AD join authentication to Active Directory using cloud Kerberos trust
+<a name='azure-ad-join-authentication-to-active-directory-using-cloud-kerberos-trust'></a>
 
-![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
+## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
+
+![Microsoft Entra join authentication to Active Directory.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
-|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
+|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
 
-## Azure AD join authentication to Active Directory using a key
+<a name='azure-ad-join-authentication-to-active-directory-using-a-key'></a>
 
-![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png)
+## Microsoft Entra join authentication to Active Directory using a key
+
+![Microsoft Entra join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
-> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
+> You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
 
-## Azure AD join authentication to Active Directory using a certificate
+<a name='azure-ad-join-authentication-to-active-directory-using-a-certificate'></a>
 
-![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png)
+## Microsoft Entra join authentication to Active Directory using a certificate
+
+![Microsoft Entra join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed preauthentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
-> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
+> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
 
-## Hybrid Azure AD join authentication using cloud Kerberos trust
+<a name='hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust'></a>
 
-![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
+## Microsoft Entra hybrid join authentication using cloud Kerberos trust
+
+![Microsoft Entra hybrid join authentication using Microsoft Entra Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
-|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
-|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
+|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
+|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
 |D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
-## Hybrid Azure AD join authentication using a key
+<a name='hybrid-azure-ad-join-authentication-using-a-key'></a>
 
-![Hybrid Azure AD join authentication using a key.](images/howitworks/auth-haadj-keytrust.png)
+## Microsoft Entra hybrid join authentication using a key
+
+![Microsoft Entra hybrid join authentication using a key.](images/howitworks/auth-haadj-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -83,15 +95,17 @@ Azure AD-joined devices authenticate to Azure AD during sign-in and can, optiona
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
 |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 |E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.  Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
 > [!IMPORTANT]
-> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
+> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
 
-## Hybrid Azure AD join authentication using a certificate
+<a name='hybrid-azure-ad-join-authentication-using-a-certificate'></a>
 
-![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png)
+## Microsoft Entra hybrid join authentication using a certificate
+
+![Microsoft Entra hybrid join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -100,8 +114,8 @@ Azure AD-joined devices authenticate to Azure AD during sign-in and can, optiona
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
 |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 |E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.  Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
 > [!IMPORTANT]
 > In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index ee7ba7e558..dc5f922db7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -8,100 +8,110 @@ ms.topic: overview
 
 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication.  Provisioning experience vary based on:
 
-- How the device is joined to Azure Active Directory
+- How the device is joined to Microsoft Entra ID
 - The Windows Hello for Business deployment type
 - If the environment is managed or federated
 
 List of provisioning flows:
 
-- [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
-- [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
-- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
-- [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
-- [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
+- [Microsoft Entra joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
+- [Microsoft Entra joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
+- [Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
+- [Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
+- [Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
 - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
 - [Domain joined provisioning in an On-premises certificate trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
 
 > [!NOTE]
 > The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
 
-## Azure AD joined provisioning in a managed environment
+<a name='azure-ad-joined-provisioning-in-a-managed-environment'></a>
 
-![Azure AD joined provisioning in a managed environment.](images/howitworks/prov-aadj-managed.png)
+## Microsoft Entra joined provisioning in a managed environment
+
+![Microsoft Entra joined provisioning in a managed environment.](images/howitworks/prov-aadj-managed.png)
 [Full size image](images/howitworks/prov-aadj-managed.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application which signals the end of user provisioning and the application exits.|
 
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Azure AD joined provisioning in a federated environment
+<a name='azure-ad-joined-provisioning-in-a-federated-environment'></a>
 
-![Azure AD joined provisioning in federated environment.](images/howitworks/prov-aadj-federated.png)
+## Microsoft Entra joined provisioning in a federated environment
+
+![Microsoft Entra joined provisioning in federated environment.](images/howitworks/prov-aadj-federated.png)
 [Full size image](images/howitworks/prov-aadj-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Azure Active Directory.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application which signals the end of user provisioning and the application exits.|
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment
+<a name='hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment'></a>
 
-![Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
+## Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment
+
+![Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
 [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 |:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |   B   | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                         |
-|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.  |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application which signals the end of user provisioning and the application exits.  |
 
 > [!NOTE]
-> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
+> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential.
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment
+<a name='hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment'></a>
 
-![Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
+## Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment
+
+![Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
 [Full size image](images/howitworks/prov-haadj-keytrust-managed.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 |:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |   B   | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                         |
-|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.                                                                                                                                                                                                                                                                                                                                                         |
-|   D   | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. Azure Active Directory Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application which signals the end of user provisioning and the application exits.                                                                                                                                                                                                                                                                                                                                                         |
+|   D   | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 
 > [!IMPORTANT]
-> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+> The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory.
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment
+<a name='hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment'></a>
 
-![Hybrid Azure AD joined provisioning in a synchronous Certificate trust deployment in a federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+## Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment
+
+![Microsoft Entra hybrid joined provisioning in a synchronous Certificate trust deployment in a federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 [Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |:-----:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Azure Active Directory.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |   B   | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID and a key receipt to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 |   D   | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br>  After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 |   E   | The registration authority validates the public key in the certificate request matches a registered key for the user.<br>  If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.<br>After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 |   F   | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
 |   G   | The application receives the newly issued certificate and installs it into the Personal store of the user.  This signals the end of provisioning.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 
 > [!IMPORTANT]
-> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
+> Synchronous certificate enrollment does not depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Key Trust deployment
@@ -110,7 +120,7 @@ List of provisioning flows:
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
 | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
 |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
 
@@ -122,7 +132,7 @@ List of provisioning flows:
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
 | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
 |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
 |D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br>  After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 8c6856a2da..be3cce3029 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -32,32 +32,44 @@ In the issued AIK certificate, a special OID is added to attest that endorsement
 - [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
 - [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
 
-## Azure Active Directory join
+<a name='azure-active-directory-join'></a>
 
-Azure Active Directory (Azure AD) join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Azure AD join. Azure AD join also works in a hybrid environment and can enable access to on-premises applications and resources.
+## Microsoft Entra join
 
-### Related to Azure AD join
+Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources.
+
+<a name='related-to-azure-ad-join'></a>
+
+### Related to Microsoft Entra join
 
 - [Join type](#join-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 
-### More information about Azure AD join
+<a name='more-information-about-azure-ad-join'></a>
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
+### More information about Microsoft Entra join
 
-## Azure AD registration
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
 
-The goal of Azure AD-registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Azure AD-controlled resources using a personal device.
+<a name='azure-ad-registration'></a>
 
-### Related to Azure AD registration
+## Microsoft Entra registration
 
-- [Azure AD join](#azure-active-directory-join)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device.
+
+<a name='related-to-azure-ad-registration'></a>
+
+### Related to Microsoft Entra registration
+
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Join type](#join-type)
 
-### More information about Azure AD registration
+<a name='more-information-about-azure-ad-registration'></a>
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
+### More information about Microsoft Entra registration
+
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
 
 ## Certificate trust
 
@@ -66,7 +78,7 @@ The certificate trust model uses a securely issued certificate based on the user
 ### Related to certificate trust
 
 - [Deployment type](#deployment-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [Cloud Kerberos trust](#cloud-kerberos-trust)
 - [Key trust](#key-trust)
@@ -79,18 +91,18 @@ The certificate trust model uses a securely issued certificate based on the user
 
 ## Cloud deployment
 
-The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD-joined or Azure AD-registered devices.
+The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices.
 
 ### Related to cloud deployment
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
 - [Deployment type](#deployment-type)
 - [Join type](#join-type)
 
 ## Cloud experience host
 
-In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
+In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
 
 ### Related to cloud experience host
 
@@ -111,7 +123,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 ### Related to cloud Kerberos trust
 
 - [Deployment type](#deployment-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [Key trust](#key-trust)
 - [On-premises deployment](#on-premises-deployment)
@@ -168,7 +180,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
 
 ## Federated environment
 
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
+Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID.
 
 ### Related to federated environment
 
@@ -179,9 +191,11 @@ Primarily for large enterprise organizations with more complex authentication re
 
 ### More information about federated environment
 
-[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
-## Hybrid Azure AD join
+<a name='hybrid-azure-ad-join'></a>
+
+## Microsoft Entra hybrid join
 
 For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
 
@@ -190,27 +204,31 @@ For more than a decade, many organizations have used the domain join to their on
 
 Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
 
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure AD, you can implement hybrid Azure AD-joined devices. These devices are joined to both your on-premises Active Directory and your Azure AD.
+If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID.
 
-### Related to hybrid Azure AD join
+<a name='related-to-hybrid-azure-ad-join'></a>
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
+### Related to Microsoft Entra hybrid join
+
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
 - [Hybrid deployment](#hybrid-deployment)
 
-### More information about hybrid Azure AD join
+<a name='more-information-about-hybrid-azure-ad-join'></a>
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
+### More information about Microsoft Entra hybrid join
+
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
 
 ## Hybrid deployment
 
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
 
 ### Related to hybrid deployment
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 
 ### More information about hybrid deployment
 
@@ -218,23 +236,23 @@ The Windows Hello for Business hybrid deployment is for organizations that have
 
 ## Join type
 
-Join type is how devices are associated with Azure AD. For a device to authenticate to Azure AD it must be registered or joined.
+Join type is how devices are associated with Microsoft Entra ID. For a device to authenticate to Microsoft Entra it must be registered or joined.
 
-Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
+Registering a device to Microsoft Entra ID enables you to manage a device's identity. When a device is registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Microsoft Entra ID. You can use the identity to enable or disable a device.
 
-When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
+When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
 
 Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
 
 ### Related to join type
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 
 ### More information about join type
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
 
 ## Key trust
 
@@ -245,7 +263,7 @@ The key trust model uses the user's Windows Hello for Business identity to authe
 - [Cloud Kerberos trust](#cloud-kerberos-trust)
 - [Certificate trust](#certificate-trust)
 - [Deployment type](#deployment-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [On-premises deployment](#on-premises-deployment)
 - [Trust type](#trust-type)
@@ -256,7 +274,7 @@ The key trust model uses the user's Windows Hello for Business identity to authe
 
 ## Managed environment
 
-Managed environments are for non-federated environments where Azure AD manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
+Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
 
 ### Related to managed environment
 
@@ -280,7 +298,7 @@ The Windows Hello for Business on-premises deployment is for organizations that
 
 ## Pass-through authentication
 
-Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
 
 ### Related to pass-through authentication
 
@@ -290,11 +308,11 @@ Pass-through authentication provides a simple password validation for Azure AD a
 
 ### More information about pass-through authentication
 
-[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
 ## Password hash sync
 
-Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Password hash sync is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
 
 ### Related to password hash sync
 
@@ -304,13 +322,13 @@ Password hash sync is the simplest way to enable authentication for on-premises
 
 ### More information about password hash sync
 
-[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
 ## Primary refresh token
 
-Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
+Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
 
-The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Azure AD joined and hybrid Azure AD-joined devices. For personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
+The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
 
 The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
 
@@ -330,7 +348,7 @@ The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of
 
 ## Trust type
 
-The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Azure AD. Windows Hello for Business authentication to Azure AD always uses the key, not a certificate (excluding smart card authentication in a federated environment).
+The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
 
 ### Related to trust type
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index a39e31f06f..ee893787c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -6,7 +6,7 @@ ms.topic: overview
 ---
 # How Windows Hello for Business works in Windows Devices
 
-Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices.
 
 Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
 > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
@@ -17,7 +17,7 @@ Windows Hello for Business is a distributed system that uses several components
 
 ### Device Registration
 
-Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
 
 For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 3eeb4f536d..fab3db4894 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,6 +1,6 @@
 ---
-title: Use Certificates to enable SSO for Azure AD join devices
-description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
+title: Use Certificates to enable SSO for Microsoft Entra join devices
+description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
 ms.date: 08/19/2018
 ms.topic: how-to
 ---
@@ -9,14 +9,14 @@ ms.topic: how-to
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust-aad.md)]
 
-If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
+If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Microsoft Entra joined devices.
 
 > [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
+> Ensure you have performed the configurations in [Microsoft Entra joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
 
 Steps you'll perform include:
 
-- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
+- [Prepare Microsoft Entra Connect](#prepare-azure-ad-connect)
 - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
 - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
 - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
@@ -26,7 +26,7 @@ Steps you'll perform include:
 
 ## Requirements
 
-You need to install and configure additional infrastructure to provide Azure AD-joined devices with on-premises single-sign on.
+You need to install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on.
 
 - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
 - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
@@ -43,29 +43,33 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
 - Encryption
 - Signature and Encryption
 
-If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers.  Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
+If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers.  Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
 
 ### Network Requirements
 
 All communication occurs securely over port 443.
 
-## Prepare Azure AD Connect
+<a name='prepare-azure-ad-connect'></a>
+
+## Prepare Microsoft Entra Connect
 
 Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain.  The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
 
 Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller.  Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
 
-To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute.  Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
+To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute.  Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
 
-### Verify Azure Active Directory Connect version
+<a name='verify-azure-active-directory-connect-version'></a>
 
-Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
+### Verify Microsoft Entra Connect version
 
-1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_.
+
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
 
 2. In the **Synchronization Service Manager**, select **Help** and then select **About**.
 
-3. If the version number isn't **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
+3. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
 
@@ -80,7 +84,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
 
 3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
 
-4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory.  Select **Run query**.
+4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID.  Select **Run query**.
 
 > [!NOTE]
 > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -232,7 +236,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
 
 - Configure the certificate authority to let Intune provide validity periods
 - Create an NDES-Intune Authentication Certificate template
-- Create an Azure AD joined Windows Hello for Business authentication certificate template
+- Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
 - Publish certificate templates
 
 ### Configure the certificate authority to let Intune provide validity periods
@@ -283,7 +287,9 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 
 11. Select on the **Apply** to save changes and close the console.
 
-### Create an Azure AD joined Windows Hello for Business authentication certificate template
+<a name='create-an-azure-ad-joined-windows-hello-for-business-authentication-certificate-template'></a>
+
+### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
 
 During Windows Hello for Business provisioning,  Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
 
@@ -455,13 +461,13 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 5. Select **Add**.
 
-6. Select **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **HOST**.  Select **OK**.
+6. Select **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices.  From the **Available services** list, select **HOST**.  Select **OK**.
 
    ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 
 7. Repeat steps 5 and 6 for each NDES server using this service account. Select **Add**.
 
-8. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Select **OK**.
+8. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Select **OK**.
 
 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
 
@@ -534,7 +540,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 
 1. Open an elevated command prompt.
 
-2. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
+2. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices.
 
 3. Type the following command:
 
@@ -542,7 +548,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
    ```
 
-   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD-joined devices.  Example:
+   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Microsoft Entra joined devices.  Example:
 
    ```console
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
@@ -557,13 +563,13 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 
 ### Create a Web Application Proxy for the internal NDES URL.
 
-Certificate enrollment for Azure AD-joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy.  Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
+Certificate enrollment for Microsoft Entra joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Microsoft Entra application proxy.  Microsoft Entra application proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
 
-Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Azure AD Application Proxies.
+Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
 
-Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
 
-Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
+Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
 
 #### Download and Install the Application Proxy Connector Agent
 
@@ -571,7 +577,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Under **MANAGE**, select **Application proxy**.
 
@@ -582,7 +588,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
 
    > [!IMPORTANT]
-   > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+   > Install a minimum of two Microsoft Entra ID Proxy connectors for each NDES Application Proxy.  Strategically locate Microsoft Entra application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 
@@ -598,7 +604,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
 
-10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
+10. Repeat steps 5 - 10 for each device that will run the Microsoft Entra application proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
 
@@ -606,7 +612,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Under **MANAGE**, select **Application proxy**.
 
@@ -626,17 +632,17 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Under **MANAGE**, select **Application proxy**.
 
 4. Select **Configure an app**.
 
-5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers can't share the same internal URL.
+5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Microsoft Entra application proxy setting with the on-premises NDES server.  Each NDES server must have its own Microsoft Entra application proxy as two NDES servers can't share the same internal URL.
 
-6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Microsoft Entra application proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 
-7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Microsoft Entra application proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Microsoft Entra application proxy.  It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Microsoft Entra tenant name (-mstephendemo.msappproxy.net).
 
    ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
 
@@ -681,7 +687,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
 
 10. Select **Enroll**
 
-11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
+11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices.
 
 ### Configure the Web Server Role
 
@@ -824,7 +830,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Select **Groups**.  Select **New group**.
 
@@ -836,7 +842,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 7. Select **Assigned** from the **Membership type** list.
 
-   ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
+   ![Microsoft Entra new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
 
 8. Select **Members**.  Use the  **Select members** pane to add members to this group. When finished, select **Select**.
 
@@ -889,7 +895,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
     ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
 
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+17. Under **SCEP Server URLs**, type the fully qualified external name of the Microsoft Entra application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Microsoft Entra application proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
 
 18. Select **Next**.
 
@@ -924,7 +930,7 @@ You have successfully completed the configuration.  Add users that need to enrol
 
 > [!div class="checklist"]
 > - Requirements
-> - Prepare Azure AD Connect
+> - Prepare Microsoft Entra Connect
 > - Prepare the Network Device Enrollment Services (NDES) Service Account
 > - Prepare Active Directory Certificate Authority
 > - Install and Configure the NDES Role
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index b512d1a236..e4c13dae5d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,21 +1,21 @@
 ---
-title: Configure single sign-on (SSO) for Azure AD joined devices
-description: Learn how to configure single sign-on to on-premises resources for Azure AD-joined devices, using Windows Hello for Business.
+title: Configure single sign-on (SSO) for Microsoft Entra joined devices
+description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
 ms.date: 12/30/2022
 ms.topic: how-to
 ---
-# Configure single sign-on for Azure AD joined devices
+# Configure single sign-on for Microsoft Entra joined devices
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-keycert-trust-aad.md)]
 
-Windows Hello for Business combined with Azure AD-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Azure AD-joined devices using Windows Hello for Business, using a key or a certificate.
+Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 
 > [!NOTE]
 > These steps are not needed when using the cloud Kerberos trust model.
 
 ## Prerequisites
 
-Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices:
+Unlike Microsoft Entra hybrid joined devices, Microsoft Entra joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Microsoft Entra joined devices:
 
 > [!div class="checklist"]
 > - Certificate Revocation List (CRL) Distribution Point
@@ -29,9 +29,9 @@ During certificate validation, Windows compares the current certificate with inf
 
 ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
 
-The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure AD joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
+The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
 
-To resolve this issue, the CRL distribution point must be a location accessible by Azure AD joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
 
 If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first, in the list of distribution points.
 
@@ -40,11 +40,11 @@ If your CRL distribution point doesn't list an HTTP distribution point, then you
 
 ### Domain controller certificates
 
-Certificate authorities write CDP information in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CDP. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory.
+Certificate authorities write CDP information in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CDP. The domain controller certificate is one the critical components of Microsoft Entra joined devices authenticating to Active Directory.
 
 #### Why does Windows need to validate the domain controller certificate?
 
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
 
 - The domain controller has the private key for the certificate provided
 - The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities*
@@ -54,7 +54,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w
 - The domain controller's certificate's signature hash algorithm is **sha256**
 - The domain controller's certificate's public key is **RSA (2048 Bits)**
 
-Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
+Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
 
 ## Configure a CRL distribution point for an issuing CA
 
@@ -62,7 +62,7 @@ Use this set of procedures to update the CA that issues domain controller certif
 
 ### Configure Internet Information Services to host CRL distribution point
 
-You need to host your new certificate revocation list on a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
+You need to host your new certificate revocation list on a web server so Microsoft Entra joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
 
 > [!IMPORTANT]
 > Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. 
@@ -217,9 +217,11 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
     ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
 
-## Deploy the root CA certificate to Azure AD-joined devices
+<a name='deploy-the-root-ca-certificate-to-azure-ad-joined-devices'></a>
 
-The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails.
+## Deploy the root CA certificate to Microsoft Entra joined devices
+
+The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Microsoft Entra joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Microsoft Entra joined devices don't trust domain controller certificates and authentication fails.
 
 ### Export the enterprise root certificate
 
@@ -250,4 +252,4 @@ To configure devices with Microsoft Intune, use a custom policy:
 1. Under **Assignment**, select a security group that contains as members the devices or users that you want to configure > **Next**
 1. Review the policy configuration and select **Create**
 
-If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). Otherwise, you can sign in to an Azure AD joined device with Windows Hello for Business and test SSO to an on-premises resource.
+If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). Otherwise, you can sign in to a Microsoft Entra joined device with Windows Hello for Business and test SSO to an on-premises resource.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
index 662e259872..e3340a65c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
@@ -25,12 +25,12 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
 [!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices.
+> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
 
 > [!IMPORTANT]
-> For Azure AD joined devices to authenticate to on-premises resources, ensure to:
+> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL
+> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
 [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
@@ -54,7 +54,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 1. Close the console
 
 > [!IMPORTANT]
-> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
 
 ## Configure and deploy certificates to domain controllers
 
@@ -82,4 +82,4 @@ Before moving to the next section, ensure the following steps are complete:
 > [Next: configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
 
 <!--links-->
-[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
\ No newline at end of file
+[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index eabb6ec24d..754b52a3a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -15,7 +15,7 @@ ms.topic: how-to
 
 [!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)]
 
-Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
+Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
@@ -29,10 +29,10 @@ The following prerequisites must be met for a hybrid certificate trust deploymen
 
 > [!div class="checklist"]
 > * Directories and directory synchronization
-> * Federated authentication to Azure AD
+> * Federated authentication to Microsoft Entra ID
 > * Device registration
 > * Public Key Infrastructure
-> * Multi-factor authentication
+> * Multifactor authentication
 > * Device management
 
 ### Directories and directory synchronization
@@ -40,21 +40,23 @@ The following prerequisites must be met for a hybrid certificate trust deploymen
 Hybrid Windows Hello for Business needs two directories:
 
 - An on-premises Active Directory
-- An Azure Active Directory tenant with an Azure AD Premium subscription
+- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription
 
-The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.
-The hybrid-certificate trust deployment needs an *Azure Active Directory Premium* subscription because it uses the device write-back synchronization feature.
+The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.
+The hybrid-certificate trust deployment needs an *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature.
 
 > [!NOTE]
-> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.
+> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
 
 > [!IMPORTANT]
-> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Azure Active Directory and Active Directory.
+> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
 
-### Federated authentication to Azure AD
+<a name='federated-authentication-to-azure-ad'></a>
 
-Windows Hello for Business hybrid certificate trust doesn't support Azure AD *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
-Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Azure Active Directory using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
+### Federated authentication to Microsoft Entra ID
+
+Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
+Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
 
 If you're new to AD FS and federation services:
 
@@ -69,18 +71,18 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016
 
 ### Device registration and device write-back
 
-Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\
-For hybrid Azure AD joined devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page.
+Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
+For Microsoft Entra hybrid joined devices, review the guidance on the [plan your Microsoft Entra hybrid join implementation][AZ-8] page.
 
-Refer to the [Configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about using Azure AD Connect Sync to configure Azure AD device registration.\
-For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide.
+Refer to the [Configure Microsoft Entra hybrid join for federated domains][AZ-10] guide to learn more about using Microsoft Entra Connect Sync to configure Microsoft Entra device registration.\
+For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Microsoft Entra device registration][AZ-11] guide.
 
 Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.
 
 > [!NOTE]
-> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
+> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
 
-If you manually configured AD FS, or if you ran Azure AD Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
+If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
 
 ### Public Key Infrastructure
 
@@ -89,16 +91,18 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
 
 During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
 
-### Multi-factor authentication
+<a name='multi-factor-authentication'></a>
+
+### Multifactor authentication
 
 The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
 Hybrid deployments can use:
 
-- [Azure AD Multi-Factor Authentication][AZ-2]
-- A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
+- [Microsoft Entra multifactor authentication][AZ-2]
+- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
 
-For more information how to configure Azure AD Multi-Factor Authentication, see [Configure Azure AD Multi-Factor Authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multi-factor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
 
 ### Device management
 
@@ -113,7 +117,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure AD FS
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
-> * Configure single sign-on (SSO) for Azure AD joined devices
+> * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
 > [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-cert-trust-validate-pki.md)
@@ -135,4 +139,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 [SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
 [SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
 [SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2
-[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication
\ No newline at end of file
+[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 934a3f70de..0d5ed158f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -16,9 +16,9 @@ After the prerequisites are met and the PKI and AD FS configurations are validat
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
 > [!IMPORTANT]
-> The information in this section applies to hybrid Azure AD joined devices only.
+> The information in this section applies to Microsoft Entra hybrid joined devices only.
 
-For hybrid Azure AD joined devices, you can use group policies to configure Windows Hello for Business.
+For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
 It is suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign the **Group Policy** and **Certificate template permissions** to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
 
 ### Enable Windows Hello for Business group policy setting
@@ -95,11 +95,11 @@ Users (or devices) must receive the Windows Hello for Business group policy sett
 ## Configure Windows Hello for Business using Microsoft Intune
 
 > [!IMPORTANT]
-> The information in this section applies to Azure AD joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
-> - [Configure single sign-on for Azure AD joined devices](hello-hybrid-aadj-sso.md)
+> The information in this section applies to Microsoft Entra joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
+> - [Configure single sign-on for Microsoft Entra joined devices](hello-hybrid-aadj-sso.md)
 > - [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
 
-For Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
 
 There are different ways to enable and configure Windows Hello for Business in Intune:
 
@@ -163,19 +163,19 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
 1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
 1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
 
 :::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 > [!IMPORTANT]
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
 > 
-> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
+> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval. 
 > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Azure AD Connect sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
+> Read [Microsoft Entra Connect Sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 >
 > [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Microsoft Entra Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
 
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
index 4765ae8d4e..7b4394d51f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -14,18 +14,20 @@ ms.topic: tutorial
 
 Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
 
-1. Set up Azure AD Kerberos.
+1. Set up Microsoft Entra Kerberos.
 1. Configure a Windows Hello for Business policy and deploy it to the devices.
 
-### Deploy Azure AD Kerberos
+<a name='deploy-azure-ad-kerberos'></a>
 
-If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
+### Deploy Microsoft Entra Kerberos
 
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
+If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section.
+
+If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID][AZ-2] documentation. This page includes information on how to install and use the Microsoft Entra Kerberos PowerShell module. Use the module to create a Microsoft Entra Kerberos server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
 
 ### Configure Windows Hello for Business policy
 
-After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
 #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
 
@@ -99,7 +101,7 @@ To configure the cloud Kerberos trust policy:
    - Value: **True**
 
     > [!IMPORTANT]
-    > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
+    > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Microsoft Entra tenant. See [How to find your Microsoft Entra tenant ID][AZ-3] for instructions on looking up your tenant ID.
 
     :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="images/hello-cloud-trust-intune.png" lightbox="images/hello-cloud-trust-intune-large.png":::
 
@@ -107,7 +109,7 @@ To configure the cloud Kerberos trust policy:
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
-Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
+Microsoft Entra hybrid joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
 
 The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.  
 
@@ -142,17 +144,17 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group
 
 ## Provision Windows Hello for Business
 
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy.
 
 You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
 This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
 :::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="images/cloud-trust-prereq-check.png" lightbox="images/cloud-trust-prereq-check.png":::
 
-The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Microsoft Entra joined.
 
 > [!NOTE]
-> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
+> The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
 
 ### PIN Setup
 
@@ -166,18 +168,18 @@ After a user signs in, this is the process that occurs to enroll in Windows Hell
 
 ### Sign-in
 
-Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
 
 ## Migrate from key trust deployment model to cloud Kerberos trust
 
 If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
 
-1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
+1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
-1. For Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
+1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business.
 
 > [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
 
 ## Migrate from certificate trust deployment model to cloud Kerberos trust
 
@@ -193,7 +195,7 @@ If you deployed Windows Hello for Business using the certificate trust model, an
 1. Provision Windows Hello for Business using a method of your choice.
 
 > [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
+> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
 
 ## Frequently Asked Questions
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index 23b6c288e5..464e918a1e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -16,34 +16,36 @@ Windows Hello for Business replaces password sign-in with strong authentication,
 
 The goal of Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [*passwordless security key sign-in*][AZ-1] to Windows Hello for Business, and it can be used for new or existing Windows Hello for Business deployments.
 
-Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
+Windows Hello for Business cloud Kerberos trust uses *Microsoft Entra Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
 
 - No need to deploy a public key infrastructure (PKI) or to change an existing PKI
-- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
+- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
 - [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup
 
 > [!NOTE]
 > Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
 
-## Azure AD Kerberos and cloud Kerberos trust authentication
+<a name='azure-ad-kerberos-and-cloud-kerberos-trust-authentication'></a>
+
+## Microsoft Entra Kerberos and cloud Kerberos trust authentication
 
 *Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
 
-Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
-With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
+Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs.\
+With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
 
-When Azure AD Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
+When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
 
 - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
-- Is only used by Azure AD to generate TGTs for the Active Directory domain
+- Is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain
 
   > [!NOTE]
   > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust.
 
-:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
+:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server ":::
 
-For more information about how Azure AD Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
-For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
+For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
+For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
 
 > [!IMPORTANT]
 > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
@@ -52,10 +54,10 @@ For more information about how Azure AD Kerberos works with Windows Hello for Bu
 
 | Requirement | Notes |
 | --- | --- |
-| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
-| Windows 10, version 21H2 or Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
+| Multifactor authentication | This requirement can be met using [Microsoft Entra multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multifactor authentication provided through AD FS, or a comparable solution. |
+| Windows 10, version 21H2 or Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Microsoft Entra joined and Microsoft Entra hybrid joined devices. |
 | Windows Server 2016 or later Domain Controllers | If you're using Windows Server 2016, [KB3534307][SUP-1] must be installed. If you're using Server 2019, [KB4534321][SUP-2] must be installed. |
-| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
+| Microsoft Entra Kerberos PowerShell module | This module is used for enabling and managing Microsoft Entra Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
 | Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
 
 ### Unsupported scenarios
@@ -65,19 +67,19 @@ The following scenarios aren't supported using Windows Hello for Business cloud
 - On-premises only deployments
 - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
 - Using cloud Kerberos trust for "Run as"
-- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
+- Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity
 
 > [!NOTE]
 > The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
 >
-> Due to possible attack vectors from Azure AD to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
+> Due to possible attack vectors from Microsoft Entra ID to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
 
 ## Next steps
 
 Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps:
 
 > [!div class="checklist"]
-> * Deploy Azure AD Kerberos
+> * Deploy Microsoft Entra Kerberos
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
index 7c2d96a0d1..dc8d3d3a24 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
@@ -15,7 +15,7 @@ After the prerequisites are met and the PKI configuration is validated, Windows
 
 ## Configure Windows Hello for Business using Microsoft Intune
 
-For Azure AD joined devices and hybrid Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
 
 There are different ways to enable and configure Windows Hello for Business in Intune:
 
@@ -66,7 +66,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 
 ## Configure Windows Hello for Business using group policies
 
-For hybrid Azure AD joined devices, you can use group policies to configure Windows Hello for Business.
+For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
 It's suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users to the group.
 
 The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
@@ -144,14 +144,14 @@ The following process occurs after a user signs in, to enroll in Windows Hello f
 1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
 1. The enrollment flow proceeds to the multi-factor authentication phase. The process informs the user that there's an MFA contact attempt, using the configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
 
 :::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 > [!IMPORTANT]
-> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
+> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
 > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Azure AD Connect sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization.
+> Read [Microsoft Entra Connect Sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization.
 
 <!--links-->
 [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
index c4248ffb62..f39545b8e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@@ -16,7 +16,7 @@ ms.topic: tutorial
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
-Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Azure AD Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
+Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
 
 A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
 
@@ -49,12 +49,12 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
 [!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices.
+> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
 
 > [!IMPORTANT]
-> For Azure AD joined devices to authenticate to on-premises resources, ensure to:
+> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL
+> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
 [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
@@ -74,7 +74,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 1. Close the console
 
 > [!IMPORTANT]
-> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
 
 ## Configure and deploy certificates to domain controllers
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 8ab43e5406..a0a36f2cc0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -14,7 +14,7 @@ ms.topic: how-to
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
 
-Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
+Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
 
@@ -29,10 +29,10 @@ The following prerequisites must be met for a hybrid key trust deployment:
 
 > [!div class="checklist"]
 > * Directories and directory synchronization
-> * Authentication to Azure AD
+> * Authentication to Microsoft Entra ID
 > * Device registration
 > * Public Key Infrastructure
-> * Multi-factor authentication
+> * Multifactor authentication
 > * Device management
 
 ### Directories and directory synchronization
@@ -40,40 +40,44 @@ The following prerequisites must be met for a hybrid key trust deployment:
 Hybrid Windows Hello for Business needs two directories:
 
 - An on-premises Active Directory
-- An Azure Active Directory tenant
+- A Microsoft Entra tenant
 
-The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\
-During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Azure AD. *Azure AD Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
+The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
+During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
 
 > [!NOTE]
-> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.
+> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
 
-### Authentication to Azure AD
+<a name='authentication-to-azure-ad'></a>
 
-Authentication to Azure AD can be configured with or without federation:
+### Authentication to Microsoft Entra ID
 
-- [Password hash synchronization][AZ-6] or [Azure Active Directory pass-through-authentication][AZ-7] is required for non-federated environments
+Authentication to Microsoft Entra ID can be configured with or without federation:
+
+- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
 - Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
 
 ### Device registration
 
-The Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\
-For *hybrid Azure AD joined* devices, review the guidance on the [Plan your hybrid Azure Active Directory join implementation][AZ-8] page.
+The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
+For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
 
 ### Public Key Infrastructure
 
 An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.
 
-### Multi-factor authentication
+<a name='multi-factor-authentication'></a>
+
+### Multifactor authentication
 
 The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
 Hybrid deployments can use:
 
-- [Azure AD Multi-Factor Authentication][AZ-2]
-- A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
+- [Microsoft Entra multifactor authentication][AZ-2]
+- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
 
-For more information how to configure Azure AD Multi-Factor Authentication, see [Configure Azure AD Multi-Factor Authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multi-factor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
 
 ### Device management
 
@@ -87,7 +91,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure and validate the PKI
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
-> * Configure single sign-on (SSO) for Azure AD joined devices
+> * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
 > [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-key-trust-validate-pki.md)
@@ -102,4 +106,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 [AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
 [AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
 
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
\ No newline at end of file
+[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 510a0584ba..ea4c5a3119 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 07/05/2023
+ms.date: 10/09/2023
 title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.topic: overview
@@ -17,12 +17,14 @@ appliesto:
 
 This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
 
-## Azure AD Cloud Only Deployment
+<a name='azure-ad-cloud-only-deployment'></a>
 
-- Azure Active Directory
-- Azure AD Multifactor Authentication
+## Microsoft Entra Cloud Only Deployment
+
+- Microsoft Entra ID
+- Microsoft Entra multifactor authentication
 - Device management solution (Intune or supported third-party MDM), *optional*
-- Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
+- Microsoft Entra ID P1 or P2 subscription - *optional*, needed for automatic MDM enrollment when the device joins Microsoft Entra ID
 
 ## Hybrid Deployments
 
@@ -37,19 +39,19 @@ The table shows the minimum requirements for each deployment. For key trust in a
 | **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
 | **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions |
 | **MFA Requirement** | Azure MFA, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter |
-| **Azure AD Connect** | Not required | Required | Required | Required |
-| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
+| **Microsoft Entra Connect** | Not required. It's recommended to use [Microsoft Entra Connect cloud sync](/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync) | Required | Required | Required |
+| **Microsoft Entra ID license** | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, needed for device write-back | Microsoft Entra ID P1 or P2, optional. Intune license required |
 
 ## On-premises Deployments
 
 The table shows the minimum requirements for each deployment.
 
-| Key trust <br/> Group Policy managed | Certificate trust <br/> Group Policy managed|
-| --- | --- |
-|Any supported Windows client versions|Any supported Windows client versions|
-| Windows Server 2016 Schema | Windows Server 2016 Schema|
-| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| Any supported Windows Server versions  | Any supported Windows Server versions |
-| Any supported Windows Server versions  | Any supported Windows Server versions  |
-| Any supported Windows Server versions  | Any supported Windows Server versions  |
-| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
\ No newline at end of file
+| Requirement | Key trust <br/> Group Policy managed | Certificate trust <br/> Group Policy managed|
+| --- | --- | ---|
+| **Windows Version** | Any supported Windows client versions|Any supported Windows client versions|
+| **Schema Version**| Windows Server 2016 Schema | Windows Server 2016 Schema|
+| **Domain and Forest Functional Level**| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
+| **Domain Controller Version**| Any supported Windows Server versions  | Any supported Windows Server versions |
+| **Certificate Authority**| Any supported Windows Server versions  | Any supported Windows Server versions  |
+| **AD FS Version**| Any supported Windows Server versions  | Any supported Windows Server versions  |
+| **MFA Requirement**| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 61aece97e7..52c64523e9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,6 +1,6 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with key trust
-description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
+description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
 ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
@@ -11,22 +11,22 @@ appliesto:
 ms.topic: tutorial
 ---
 
-# Validate and deploy multi-factor authentication - on-premises key trust
+# Validate and deploy multifactor authentication - on-premises key trust
 
 [!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
 
-Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
+Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
 - certificates
 - third-party authentication providers for AD FS
 - custom authentication provider for AD FS
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
 
 For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
 
-Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
+> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 2efe441a67..999b35f45b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -4,8 +4,8 @@ description: Learn how to create a Group Policy or mobile device management (MDM
 ms.collection: 
   - highpri
   - tier1
-ms.date: 2/15/2022
-ms.topic: how-to
+ms.date: 9/25/2023
+ms.topic: reference
 ---
 
 # Manage Windows Hello for Business in your organization
@@ -13,37 +13,37 @@ ms.topic: how-to
 You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices.
 
 >[!IMPORTANT]
->Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>Windows Hello as a convenience PIN is disabled by default on all domain joined and Microsoft Entra joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
 >
 >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
 
 ## Group Policy settings for Windows Hello for Business
 
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies > Administrative Templates > Windows Components > Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
 
 > [!NOTE]
 > The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**.
 
 |Policy|Scope|Options|
 |--- |--- |--- |
-|Use Windows Hello for Business|Computer or user|<p><b>Not configured</b>: Device doesn't provision Windows Hello for Business for any user.<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.<p><b>Disabled</b>: Device doesn't provision Windows Hello for Business for any user.|
-|Use a hardware security device|Computer|<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|Use certificate for on-premises authentication|Computer or user|<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
-|Use PIN recovery|Computer|<p>Added in Windows 10, version 1703<p><b>Not configured</b>: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<p><b>Disabled</b>: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.<p>For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-|Use biometrics|Computer|<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.<p><b>Disabled</b>: Only a PIN can be used as a gesture.|
+|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user.<br>- **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.<br>- **Disabled**: Device doesn't provision Windows Hello for Business for any user.|
+|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.<br>- **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<br>- **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
+|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.<br>- **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<br>- **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
+|Use PIN recovery|Computer|- Added in Windows 10, version 1703<br>- **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service<br>- **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<br>- **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.<br>- For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN<br>- **Enabled**: Biometrics can be used as a gesture in place of a PIN.<br>- **Disabled**: Only a PIN can be used as a gesture.|
 
 ### PIN Complexity
 
 |Policy|Scope|Options|
 |--- |--- |--- |
-|Require digits|Computer|<p><b>Not configured</b>: Users must include a digit in their PIN.<p><b>Enabled</b>: Users must include a digit in their PIN.<p><b>Disabled</b>: Users can't use digits in their PIN.|
-|Require lowercase letters|Computer|<p><b>Not configured</b>: Users can't use lowercase letters in their PIN<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.<p><b>Disabled</b>: Users can't use lowercase letters in their PIN.|
-|Maximum PIN length|Computer|<p><b>Not configured</b>: PIN length must be less than or equal to 127.<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be less than or equal to 127.|
-|Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.|
-|Expiration|Computer|<p><b>Not configured</b>: PIN doesn't expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN doesn't expire.|
-|History|Computer|<p><b>Not configured</b>: Previous PINs aren't stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs aren't stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>|
-|Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but doesn't require, special characters in the PIN.<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows doesn't allow the user to include special characters in their PIN.|
-|Require uppercase letters|Computer|<p><b>Not configured</b>: Users can't include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users can't include an uppercase letter in their PIN.|
+|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN.<br>- **Enabled**: Users must include a digit in their PIN.<br>- **Disabled**: Users can't use digits in their PIN.|
+|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN<br>- **Enabled**: Users must include at least one lowercase letter in their PIN.<br>- **Disabled**: Users can't use lowercase letters in their PIN.|
+|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.<br>- **Enabled**: PIN length must be less than or equal to the number you specify.<br>- **Disabled**: PIN length must be less than or equal to 127.|
+|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater  than or equal to 4.<br>- **Enabled**: PIN length must be greater than or equal to the number you specify.<br>- **Disabled**: PIN length must be greater  than or equal to 4.|
+|Expiration|Computer|- **Not configured**: PIN doesn't expire.<br>- **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<br>- **Disabled**: PIN doesn't expire.|
+|History|Computer|- **Not configured**: Previous PINs aren't stored.<br>- **Enabled**: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<br>- **Disabled**: Previous PINs aren't stored.<br>**Note** Current PIN is included in PIN history.
+|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.<br>- **Enabled**: Windows requires the user to include at least one special character in their PIN.<br>- **Disabled**: Windows doesn't allow the user to include special characters in their PIN.|
+|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.<br>- **Enabled**: Users must include at least one uppercase letter in their PIN.<br>- **Disabled**: Users can't include an uppercase letter in their PIN.|
 
 ### Phone Sign-in
 
@@ -56,34 +56,34 @@ The following table lists the Group Policy settings that you can configure for W
 The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp).
 
 >[!IMPORTANT]
->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
 
 |Policy|Scope|Default|Options|
 |--- |--- |--- |--- |
-|UsePassportForWork|Device or user|True|<p>True: Windows Hello for Business will be provisioned for all users on the device.<p>False: Users won't be able to provision Windows Hello for Business. <div class="alert"> **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices</div>|
-|RequireSecurityDevice|Device or user|False|<p>True: Windows Hello for Business will only be provisioned using TPM.<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|ExcludeSecurityDevice<p>TPM12|Device|False|Added in Windows 10, version 1703<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
-|EnablePinRecovery|Device or use|False|<p>Added in Windows 10, version 1703<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<p>False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device.<br>- False: Users won't be able to provision Windows Hello for Business. <br>**Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices|
+|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.<br>- False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
+|ExcludeSecurityDevice<br>- TPM12|Device|False|Added in Windows 10, version 1703<br>- True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<br>- False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
+|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703<br>- True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<br>- False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
 
 ### Biometrics
 
 |Policy|Scope|Default|Options|
 |--- |--- |--- |--- |
-|UseBiometrics|Device |False|<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<p>False: Only a PIN can be used as a gesture for domain sign-in.|
-|<p>FacialFeaturesUser<p>EnhancedAntiSpoofing|Device|Not configured|<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.<p>True: Enhanced anti-spoofing is required on devices which support it.<p>False: Users can't turn on enhanced anti-spoofing.|
+|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<br>- False: Only a PIN can be used as a gesture for domain sign-in.|
+|- FacialFeaturesUser<br>-&nbsp;EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.<br>- True: Enhanced anti-spoofing is required on devices which support it.<br>- False: Users can't turn on enhanced anti-spoofing.|
 
 ### PINComplexity
 
 |Policy|Scope|Default|Options|
 |--- |--- |--- |--- |
-|Digits |Device or user|1 |<p>0: Digits are allowed. <p>1: At least one digit is required.<p>2: Digits aren't allowed.|
-|Lowercase letters |Device or user|2|<p>0: Lowercase letters are allowed. <p>1: At least one lowercase letter is required.<p>2: Lowercase letters aren't allowed.|
-|Special characters|Device or user|2|<p>0: Special characters are allowed. <p>1: At least one special character is required. <p>2: Special characters aren't allowed.|
-|Uppercase letters|Device or user|2|<p>0: Uppercase letters are allowed. <p>1: At least one uppercase letter is required.<p>2: Uppercase letters aren't allowed.|
-|Maximum PIN length |Device or user|127 |<p>Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
-|Minimum PIN length|Device or user|6|<p>Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
-|Expiration |Device or user|0|<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
-|History|Device or user|0|<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
+|Digits |Device or user|1 |- 0: Digits are allowed. <br>- 1: At least one digit is required.<br>- 2: Digits aren't allowed.|
+|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed. <br>- 1: At least one lowercase letter is required.<br>- 2: Lowercase letters aren't allowed.|
+|Special characters|Device or user|2|- 0: Special characters are allowed. <br>- 1: At least one special character is required. <br>- 2: Special characters aren't allowed.|
+|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed. <br>- 1: At least one uppercase letter is required.<br>- 2: Uppercase letters aren't allowed.|
+|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
+|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
+|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
+|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
 
 ### Remote
 
@@ -92,42 +92,15 @@ The following table lists the MDM policy settings that you can configure for Win
 |UseRemotePassport|Device or user|False|Not currently supported.|
 
 >[!NOTE]
-> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
+> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
 
 ## Policy conflicts from multiple policy sources
 
-Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
+Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
 
-Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. 
+> [!IMPORTANT]
+> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
 
-Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source.
+## Policy precedence
 
-All PIN complexity policies are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis.  
-
->[!NOTE]
-> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
->
-><b>Examples</b>
->
->The following are configured using computer Group Policy:
->
->- Use Windows Hello for Business - Enabled
->- User certificate for on-premises authentication - Enabled
->
->The following are configured using device MDM Policy:
->
->- UsePassportForWork - Disabled
->- UseCertificateForOnPremAuth - Disabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
->
->Enforced policy set:
->
->- Use Windows Hello for Business - Enabled
->- Use certificate for on-premises authentication - Enabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
\ No newline at end of file
+Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 8375e0ebd3..e12ac5c2e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -6,7 +6,7 @@ ms.topic: overview
 ---
 # Planning a Windows Hello for Business Deployment
 
-Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
+Congratulations! You're taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
 
 This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
 
@@ -15,7 +15,7 @@ This guide explains the role of each component within Windows Hello for Business
 
 ## Using this guide
 
-There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
+There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
 
 This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
 
@@ -52,9 +52,9 @@ The cloud only deployment model is for organizations who only have cloud identit
 
 The hybrid deployment model is for organizations that: 
 
-- Are federated with Azure Active Directory
-- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
-- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+- Are federated with Microsoft Entra ID
+- Have identities synchronized to Microsoft Entra ID using Microsoft Entra Connect
+- Use applications hosted in Microsoft Entra ID, and want a single sign-in user experience for both on-premises and Microsoft Entra resources
 
 > [!Important]
 > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
@@ -64,7 +64,7 @@ The hybrid deployment model is for organizations that:
 > - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
 
 ##### On-premises
-The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory.
+The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Microsoft Entra ID.
 
 > [!Important]
 > On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
@@ -81,9 +81,9 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
 
-The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
 The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
 
@@ -92,33 +92,33 @@ The certificate trust type issues authentication certificates to end users.  Use
 
 #### Device registration
 
-All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
+All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Microsoft Entra ID.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
 
 #### Key registration
 
-The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user's public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user's public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Microsoft Entra ID.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
 
 #### Multifactor authentication
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure AD Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multifactor authentication for their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
 
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a with strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
-Cloud only and hybrid deployments provide many choices for multi-factor authentication.  On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure AD Multi-Factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-Factor Authentication Server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
 > [!NOTE]
-> Azure AD Multi-Factor Authentication is available through:
+> Microsoft Entra multifactor authentication is available through:
 > * Microsoft Enterprise Agreement
 > * Open Volume License Program
 > * Cloud Solution Providers program
 > * Bundled with
->    * Azure Active Directory Premium
+>    * Microsoft Entra ID P1 or P2
 >    * Enterprise Mobility Suite
 >    * Enterprise Cloud Suite
 
 #### Directory synchronization
 
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials between itself and Microsoft Entra ID. This helps enable single sign-on to Microsoft Entra ID and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
 
 ### Management
 
@@ -136,7 +136,7 @@ Modern management is an emerging device management paradigm that leverages the c
 
 Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
 
-Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update.  The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
+Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update.  The client requirement might change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices might require a minimum client running Windows 10, version 1703, also known as the Creators Update.
 
 
 ### Active Directory
@@ -145,11 +145,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
 
 ### Public Key Infrastructure
 
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources.
 
 ### Cloud
 
-Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
+Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities.  These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
 
 ## Planning a Deployment
 
@@ -173,13 +173,13 @@ If your organization does not have cloud resources, write **On-Premises** in box
 
 ### Trust type
 
-Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
 
 Choose a trust type that is best suited for your organizations.  Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
 
 One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust).  
 
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect.
 
 If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
 
@@ -203,17 +203,17 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS**
 
 ### Directory Synchronization
 
-Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multi-factor authentication during provisioning or writing the user's public key.
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multifactor authentication during provisioning or writing the user's public key.
 
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Microsoft Entra ID and there is not another directory with which the information must be synchronized.
 
-If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
+If box **1a** on your planning worksheet reads **hybrid**, then write **Microsoft Entra Connect** in box **1e** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user's credentials remain on the on-premises network.
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user's credentials remain on the on-premises network.
 
-### Multifactor Authentication
+### Multifactor authentication
 
-The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multi-factor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
+The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
 
 If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service.  Write **Azure MFA** in box **1f** on your planning worksheet.
 
@@ -225,7 +225,7 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o
 
 You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
 
-If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
+If your Microsoft Entra Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Microsoft Entra Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Microsoft Entra ID and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
 
 You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
 
@@ -241,10 +241,10 @@ If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with
 
 Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users.  The type of policy management you can use depends on your selected deployment and trust models.
 
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet.  You have the option to manage non-domain joined devices.  If you choose to manage Azure Active Directory-joined devices, write **modern management** in box **2b** on your planning worksheet.  Otherwise, write** N/A** in box **2b**.
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet.  You have the option to manage non-domain joined devices.  If you choose to manage Microsoft Entra joined devices, write **modern management** in box **2b** on your planning worksheet.  Otherwise, write** N/A** in box **2b**.
 
 > [!NOTE]
-> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
 
 If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
 
@@ -260,7 +260,7 @@ Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11.
 
 If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet.  Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
 > [!NOTE]
-> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
 
 Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. 
 * Box **2a** on your planning worksheet read **modern management**. 
@@ -288,7 +288,7 @@ If box **1a** on your planning worksheet reads **cloud only**, ignore the public
 
 If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section.
 
-The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices.  Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. 
+The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices.  Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. 
 
 If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet.  In box **5c**, write the following certificate templates names and issuances:
 
@@ -323,18 +323,18 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri
 
 If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
 
-Windows Hello for Business does not require an Azure AD premium subscription.  However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
+Windows Hello for Business does not require a Microsoft Entra ID P1 or P2 subscription.  However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
 
 If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-licensing).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults. Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing).
 
-If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
+If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature.
 
-Modern managed devices do not require an Azure AD premium subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
+Modern managed devices do not require a Microsoft Entra ID P1 or P2 subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
 
 If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet.  Otherwise, write **No** in box **6c**.
 
 ## Congratulations, You're Done
 
-Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
+Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they're used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 96c1df3462..87cd5f6ea5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -10,7 +10,7 @@ When you set a policy to require Windows Hello for Business in the workplace, yo
 
 After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
 
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
+Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
 
 People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
 
@@ -52,4 +52,3 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
@@ -0,0 +1,11 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0H18.1835C19.1859 0 20 0.814095 20 1.81653V18.1835C20 19.1859 19.1859 20 18.1835 20H1.81653C0.814095 20 0 19.1859 0 18.1835V1.81653C0 0.814095 0.814095 0 1.81653 0Z" fill="#605E5C"/>
+<g clip-path="url(#clip0_111_2097)">
+<path d="M11.027 8.93146C10.9795 9.21812 11.061 9.51843 11.2714 9.73002L14.4419 12.9174C14.5641 13.0403 14.6252 13.1973 14.6252 13.3679V14.4736C14.6252 14.5418 14.5709 14.6033 14.4962 14.6033H13.2267C13.1588 14.6033 13.0977 14.5487 13.0977 14.4736V13.7092C13.0977 13.3542 12.8125 13.0676 12.4595 13.0676H11.5702V12.1735C11.5702 11.8186 11.285 11.5319 10.932 11.5319H10.0426V11.1497C10.0426 11.02 9.98153 10.904 9.8729 10.8289C9.76428 10.7606 9.6285 10.747 9.51309 10.7948C9.19401 10.9313 8.84098 11.02 8.49474 11.02C7.08263 11.02 5.9285 9.86652 5.9285 8.44004C5.9285 7.01355 7.06905 5.91468 8.49474 5.91468C9.92043 5.91468 11.061 7.06815 11.061 8.49464C11.061 8.63115 11.0406 8.76765 11.0135 8.92463L11.027 8.93146ZM5.17493 8.45369C5.17493 10.2965 6.6685 11.7981 8.50153 11.7981C8.77309 11.7981 9.03786 11.7571 9.28905 11.6957C9.30263 12.037 9.58098 12.31 9.92043 12.31H10.8098V13.2041C10.8098 13.559 11.0949 13.8457 11.4479 13.8457H12.3373V14.4872C12.3373 14.9787 12.7379 15.3814 13.2267 15.3814H14.4962C14.985 15.3814 15.3856 14.9787 15.3856 14.4872V13.3815C15.3856 13.0062 15.2362 12.6512 14.9782 12.3919L11.8078 9.20447C11.8078 9.20447 11.7602 9.12939 11.7738 9.08162C11.8078 8.90416 11.8281 8.71305 11.8281 8.51512C11.8281 6.65864 10.3413 5.15707 8.50153 5.15707C6.66171 5.15707 5.17493 6.59721 5.17493 8.45369ZM7.74116 7.04768C8.09419 7.04768 8.37933 7.33434 8.37933 7.68926C8.37933 8.04417 8.09419 8.33083 7.74116 8.33083C7.38814 8.33083 7.103 8.04417 7.103 7.68926C7.103 7.33434 7.38814 7.04768 7.74116 7.04768Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_111_2097">
+<rect width="10.2106" height="10.2106" fill="white" transform="translate(5.17493 5.15707)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif
index 2ef07cd63c..d8aba4d740 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
index a9b2685f07..17dc33d7c4 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Azure AD-only identities. Device management is usually done via Intune/MDM")
\ No newline at end of file
+[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
index b6ba025722..a67cb2cf2b 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Azure AD. Device management is usually done via Group Policy or Intune/MDM")
\ No newline at end of file
+[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
index 5426da4561..c33f3da2de 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy")
\ No newline at end of file
+[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
index 82f5f99a23..29b890c78b 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[Azure AD join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Azure AD joined do not have any dependencies on Active Directory. Only local users accounts and Azure AD users can sign in to these devices")
\ No newline at end of file
+[Microsoft Entra join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
index ba8b5df65a..80f9992cb8 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[hybrid Azure AD join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources")
\ No newline at end of file
+[Microsoft Entra hybrid join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index e0d3b1306e..953074993d 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -25,7 +25,7 @@ Windows Hello lets users authenticate to:
 
 - A Microsoft account.
 - An Active Directory account.
-- A Microsoft Azure Active Directory (Azure AD) account.
+- A Microsoft Entra account.
 - Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.
 
 After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
@@ -71,7 +71,7 @@ Windows Hello helps protect user identities and user credentials. Because the us
 
 - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
 
-- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Azure AD, or a Microsoft account.
+- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account.
 
 - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
 
@@ -81,7 +81,7 @@ Windows Hello helps protect user identities and user credentials. Because the us
 
 - PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
 
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+- Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
 
 - Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
 
@@ -89,7 +89,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
 
 ## Comparing key-based and certificate-based authentication
 
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Microsoft Entra ID as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
 
 Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md).
 
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 690c5f984c..a66a69f90c 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -13,11 +13,11 @@ This article describes Windows' password-less strategy and how Windows Hello for
 
 Over the past few years, Microsoft has continued their commitment to enabling a world without passwords.
 
-:::image type="content" source="images/passwordless/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
+:::image type="content" source="images/passwordless-strategy/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
 
 ### 1. Develop a password replacement offering
 
-Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
+Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory.
 
 Deploying Windows Hello for Business is the first step towards a password-less environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
 
@@ -147,7 +147,7 @@ After successfully moving a work persona to password freedom, you can prioritize
 
 ### Password-less replacement offering (step 1)
 
-The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
+The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Microsoft Entra ID and Active Directory.
 
 #### Identify test users that represent the targeted work persona
 
@@ -160,7 +160,7 @@ Next, you'll want to plan your Windows Hello for Business deployment. Your test
 With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
 
 > [!NOTE]
-> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
+> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Microsoft Entra ID. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
 
 #### Validate that passwords and Windows Hello for Business work
 
@@ -206,7 +206,7 @@ Start mitigating password usages based on the workflows of your targeted persona
 
 Mitigating password usage with applications is one of the more challenging obstacles in the password-less journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
 
-The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
+The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
 
 Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
 
@@ -224,17 +224,17 @@ Windows provides two ways to prevent your users from using passwords. You can us
 
 You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**.  The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
 
-:::image type="content" source="images/passwordless/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
 
 **Windows Server 2016 and earlier**
 The policy name for these operating systems is **Interactive logon: Require smart card**.
 
-:::image type="content" source="images/passwordless/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
 
 **Windows 10, version 1703 or later using Remote Server Administrator Tools**
 The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
 
-:::image type="content" source="images/passwordless/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
+:::image type="content" source="images/passwordless-strategy/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
 
 When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
 
@@ -242,11 +242,11 @@ When you enable this security policy setting, Windows prevents users from signin
 
 You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
 
-:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
 
 The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
 
-:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
 
 Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
 
@@ -296,7 +296,7 @@ The account options on a user account include the option **Smart card is require
 
 The following image shows the SCRIL setting for a user in Active Directory Users and Computers:
 
-:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
+:::image type="content" source="images/passwordless-strategy/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
 
 When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
 
@@ -307,7 +307,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
 
 The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012:
 
-:::image type="content" source="images/passwordless/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
 
 > [!NOTE]
 > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration:
@@ -321,7 +321,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
 
 The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
 
-:::image type="content" source="images/passwordless/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
 
 > [!TIP]
 > Windows Hello for Business was formerly known as Microsoft Passport.
@@ -332,8 +332,7 @@ Domains configured for Windows Server 2016 or later domain functional level can
 
 In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
 
-:::image type="content" source="images/passwordless/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
 
 > [!NOTE]
 > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
-
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ad2fc7674a..ee0f2774a8 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -4,8 +4,6 @@ items:
 - name: Concepts
   expanded: true
   items:
-  - name: Passwordless strategy
-    href: passwordless-strategy.md
   - name: Why a PIN is better than a password
     href: hello-why-pin-is-better-than-password.md
   - name: Windows Hello biometrics in the enterprise
@@ -43,7 +41,7 @@ items:
       - name: Configure and provision Windows Hello for Business
         href: hello-hybrid-key-trust-provision.md
         displayName: key trust
-      - name: Configure SSO for Azure AD joined devices
+      - name: Configure SSO for Microsoft Entra joined devices
         href: hello-hybrid-aadj-sso.md
         displayName: key trust
     - name: Certificate trust deployment
@@ -60,10 +58,10 @@ items:
       - name: Configure and provision Windows Hello for Business
         href: hello-hybrid-cert-whfb-provision.md
         displayName: certificate trust
-      - name: Configure SSO for Azure AD joined devices
+      - name: Configure SSO for Microsoft Entra joined devices
         href: hello-hybrid-aadj-sso.md
         displayName: certificate trust
-      - name: Deploy certificates to Azure AD joined devices
+      - name: Deploy certificates to Microsoft Entra joined devices
         href: hello-hybrid-aadj-sso-cert.md
         displayName: certificate trust
   - name: On-premises deployments
@@ -112,6 +110,8 @@ items:
   items:
   - name: PIN reset
     href: hello-feature-pin-reset.md
+  - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
+    href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
   - name: Dual enrollment
     href: hello-feature-dual-enrollment.md  
   - name: Dynamic Lock
diff --git a/windows/security/identity-protection/passkeys/images/delete-passkey.png b/windows/security/identity-protection/passkeys/images/delete-passkey.png
new file mode 100644
index 0000000000..1363d8db62
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/delete-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save-qr.png b/windows/security/identity-protection/passkeys/images/device-save-qr.png
new file mode 100644
index 0000000000..e551a1e528
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save-qr.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save.png b/windows/security/identity-protection/passkeys/images/device-save.png
new file mode 100644
index 0000000000..240b3a9695
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-use.png b/windows/security/identity-protection/passkeys/images/device-use.png
new file mode 100644
index 0000000000..5aa3daea3d
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save-confirm.png b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png
new file mode 100644
index 0000000000..b9fdda9002
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save.png b/windows/security/identity-protection/passkeys/images/hello-save.png
new file mode 100644
index 0000000000..785a45596b
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use-confirm.png b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png
new file mode 100644
index 0000000000..4139c708c3
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use.png b/windows/security/identity-protection/passkeys/images/hello-use.png
new file mode 100644
index 0000000000..df46054877
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/laptop.svg b/windows/security/identity-protection/passkeys/images/laptop.svg
new file mode 100644
index 0000000000..2440c97fd5
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/laptop.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M3 7C3 5.89543 3.89543 5 5 5H15C16.1046 5 17 5.89543 17 7V12C17 13.1046 16.1046 14 15 14H5C3.89543 14 3 13.1046 3 12V7ZM5 6C4.44772 6 4 6.44772 4 7V12C4 12.5523 4.44772 13 5 13H15C15.5523 13 16 12.5523 16 12V7C16 6.44772 15.5523 6 15 6H5ZM2 15.5C2 15.2239 2.22386 15 2.5 15H17.5C17.7761 15 18 15.2239 18 15.5C18 15.7761 17.7761 16 17.5 16H2.5C2.22386 16 2 15.7761 2 15.5Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-connect.png b/windows/security/identity-protection/passkeys/images/linked-device-connect.png
new file mode 100644
index 0000000000..34cb085968
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-connect.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-save.png b/windows/security/identity-protection/passkeys/images/linked-device-save.png
new file mode 100644
index 0000000000..48bd40f658
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-use.png b/windows/security/identity-protection/passkeys/images/linked-device-use.png
new file mode 100644
index 0000000000..5aeacdae7a
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/phone.svg b/windows/security/identity-protection/passkeys/images/phone.svg
new file mode 100644
index 0000000000..acb1dce81f
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/phone.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M9 14C8.72386 14 8.5 14.2239 8.5 14.5C8.5 14.7761 8.72386 15 9 15H11C11.2761 15 11.5 14.7761 11.5 14.5C11.5 14.2239 11.2761 14 11 14H9ZM7 2C5.89543 2 5 2.89543 5 4V16C5 17.1046 5.89543 18 7 18H13C14.1046 18 15 17.1046 15 16V4C15 2.89543 14.1046 2 13 2H7ZM6 4C6 3.44772 6.44772 3 7 3H13C13.5523 3 14 3.44772 14 4V16C14 16.5523 13.5523 17 13 17H7C6.44772 17 6 16.5523 6 16V4Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/qr-code.svg b/windows/security/identity-protection/passkeys/images/qr-code.svg
new file mode 100644
index 0000000000..d84c521351
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/qr-code.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M11 15H13V17H11V15ZM15 15H17V17H15V15ZM11 11H13V13H11V11ZM13 13H15V15H13V13ZM15 11H17V13H15V11ZM3 5C3 3.89543 3.89543 3 5 3H7C8.10457 3 9 3.89543 9 5V7C9 8.10457 8.10457 9 7 9H5C3.89543 9 3 8.10457 3 7V5ZM5 4C4.44772 4 4 4.44772 4 5V7C4 7.55228 4.44772 8 5 8H7C7.55228 8 8 7.55228 8 7V5C8 4.44772 7.55228 4 7 4H5ZM5 5H7V7H5V5ZM3 13C3 11.8954 3.89543 11 5 11H7C8.10457 11 9 11.8954 9 13V15C9 16.1046 8.10457 17 7 17H5C3.89543 17 3 16.1046 3 15V13ZM5 12C4.44772 12 4 12.4477 4 13V15C4 15.5523 4.44772 16 5 16H7C7.55228 16 8 15.5523 8 15V13C8 12.4477 7.55228 12 7 12H5ZM5 13H7V15H5V13ZM11 5C11 3.89543 11.8954 3 13 3H15C16.1046 3 17 3.89543 17 5V7C17 8.10457 16.1046 9 15 9H13C11.8954 9 11 8.10457 11 7V5ZM13 4C12.4477 4 12 4.44772 12 5V7C12 7.55228 12.4477 8 13 8H15C15.5523 8 16 7.55228 16 7V5C16 4.44772 15.5523 4 15 4H13ZM13 5H15V7H13V5Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/save-passkey.png b/windows/security/identity-protection/passkeys/images/save-passkey.png
new file mode 100644
index 0000000000..9dd3799a14
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/save-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-save.png b/windows/security/identity-protection/passkeys/images/security-key-save.png
new file mode 100644
index 0000000000..a17554e17c
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-setup.png b/windows/security/identity-protection/passkeys/images/security-key-setup.png
new file mode 100644
index 0000000000..192d63cc74
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-setup.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-use.png b/windows/security/identity-protection/passkeys/images/security-key-use.png
new file mode 100644
index 0000000000..1513aa359e
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/usb.svg b/windows/security/identity-protection/passkeys/images/usb.svg
new file mode 100644
index 0000000000..18027400c1
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/usb.svg
@@ -0,0 +1,3 @@
+<svg width="9" height="16" viewBox="0 0 9 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8.39062 4.07812C8.27083 4.02604 8.14062 4 8 4V0H0.999999V4C0.859374 4 0.729166 4.02604 0.609375 4.07812C0.489583 4.13021 0.384114 4.20182 0.292968 4.29297C0.201822 4.38411 0.130208 4.48958 0.0781248 4.60937C0.0260416 4.72916 0 4.85937 0 5V15C0 15.1406 0.0260416 15.2708 0.0781248 15.3906C0.130208 15.5104 0.201822 15.6159 0.292968 15.707C0.384114 15.7982 0.489583 15.8698 0.609375 15.9219C0.729166 15.9739 0.859374 16 0.999999 16H8C8.14062 16 8.27083 15.9739 8.39062 15.9219C8.51041 15.8698 8.61588 15.7982 8.70703 15.707C8.79817 15.6159 8.86979 15.5104 8.92187 15.3906C8.97395 15.2708 8.99999 15.1406 8.99999 15V5C8.99999 4.85937 8.97395 4.72916 8.92187 4.60937C8.86979 4.48958 8.79817 4.38411 8.70703 4.29297C8.61588 4.20182 8.51041 4.13021 8.39062 4.07812ZM3 2H4V3H3V2ZM6 2V3H5V2H6ZM2 4H7V0.999999H2V4ZM0.999999 5H8V15H0.999999V5Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/use-passkey.png b/windows/security/identity-protection/passkeys/images/use-passkey.png
new file mode 100644
index 0000000000..1ff07346ea
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/use-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/website.png b/windows/security/identity-protection/passkeys/images/website.png
new file mode 100644
index 0000000000..d344d8dbde
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/website.png differ
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
new file mode 100644
index 0000000000..40d33d3ed3
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -0,0 +1,329 @@
+---
+title: Support for passkeys in Windows
+description: Learn about passkeys and how to use them on Windows devices.
+ms.collection: 
+- highpri
+- tier1
+ms.topic: article
+ms.date: 09/27/2023
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+---
+
+# Support for passkeys in Windows
+
+Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.
+
+You can use passkeys with any applications or websites that support them, to create and sign in with Windows Hello. Once a passkey is created and stored with Windows Hello, you can use your device's biometrics or PIN to sign in. Alternatively, you can use a companion device (phone or tablet) to sign in.
+
+> [!NOTE]
+> Starting in Windows 11, version 22H2 with [KB5030310][KB-1], Windows provides a native experience for passkey management. However, passkeys can be used in all supported versions of Windows clients.
+
+This article describes how to create and use passkeys on Windows devices.
+
+## How passkeys work
+
+Microsoft has long been a founding member of the FIDO Alliance and has helped to define and use passkeys natively within a platform authenticator like Windows Hello. Passkeys utilize the FIDO industry security standard, which is adopted by all major platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.
+
+The FIDO protocols rely on standard public/private key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the user's device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they're unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).
+
+FIDO protocols prioritize user privacy, as they're designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and isn't transmitted across the network or to the service.
+
+### Passkeys compared to passwords
+
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker may try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+
+[!INCLUDE [passkey](../../../../includes/licensing/passkeys.md)]
+
+## User experiences
+
+### Create a passkey
+
+Follow these steps to create a passkey from a Windows device:
+
+:::row:::
+  :::column span="4":::
+
+  1. Open a website or app that supports passkeys
+
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+
+  2. Create a passkey from your account settings
+
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+  3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+- **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
+- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices
+- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN)
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+  4. Select **Next**
+  :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to save a passkey, based on where you want to store it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+  :::column span="3":::
+
+  5. Select a Windows Hello verification method and proceed with the verification, then select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/hello-save.png" alt-text="Screenshot showing the Windows Hello face verification method." lightbox="images/hello-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. The passkey is saved to your Windows device. To confirm select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/hello-save-confirm.png" alt-text="Screenshot confirming that the passkey is saved to the Windows device" lightbox="images/hello-save-confirm.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **New phone or tablet**](#tab/mobile)
+
+:::row:::
+  :::column span="3":::
+
+  5. Scan the QR code with your phone or tablet. Wait for the connection to the device to be established and follow the instructions to save the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the QR code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. Once the passkey is saved to your phone or tablet, select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/device-save.png" alt-text="Screenshot confirming that the passkey is saved to the device." lightbox="images/device-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+  :::column span="3":::
+
+  5. Once the connection to the linked device is established, follow the instructions on the device to save the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/linked-device-connect.png" alt-text="Screenshot showing the passkey save dialog connecting to a linked device." lightbox="images/linked-device-connect.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. Once the passkey is saved to your linked device, select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/linked-device-save.png" alt-text="Screenshot confirming that the passkey is saved to the linked device." lightbox="images/linked-device-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+  :::column span="3":::
+
+  5. Select **OK** to confirm that you want to set up a security key, and unlock the security key using the key's unlock mechanism
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/security-key-setup.png" alt-text="Screenshot showing a prompt to use a security key to store the passkey." lightbox="images/security-key-setup.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. Once the passkey is saved to the security key, select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/security-key-save.png" alt-text="Screenshot confirming that the passkey is saved to the security key." lightbox="images/security-key-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+---
+
+### Use a passkey
+
+Follow these steps to use a passkey:
+
+:::row:::
+  :::column span="3":::
+  1. Open a website or app that supports passkeys
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  2. Select **Sign in with a passkey**, or a similar option
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+- **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
+- **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: use this option if you want to sign in with a passkey stored on a device that is in proximity of the Windows device. This option is only supported for Android devices
+- **Security key**: use this option if you want to sign in with a passkey stored on a FIDO2 security key
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to use a passkey, based on where you saved it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+  :::column span="3":::
+
+  4. Select a Windows Hello unlock option
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/hello-use.png" alt-text="Screenshot showing the Windows Hello prompt for a verification method." lightbox="images/hello-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  5. Select **OK** to continue signing in
+
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **Phone or tablet**](#tab/mobile)
+
+:::row:::
+  :::column span="3":::
+
+  4. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/device-use.png" alt-text="Screenshot showing the QR code to scan from your phone or tablet." lightbox="images/device-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+
+  5. You're signed in to the website or app
+
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+  :::column span="3":::
+
+  4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/linked-device-use.png" alt-text="Screenshot showing that the linked device is connected to Windows." lightbox="images/linked-device-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  5. You're signed in to the website or app
+
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+  :::column span="3":::
+
+  4. Unlock the security key using the key's unlock mechanism
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/security-key-use.png" alt-text="Screenshot showing a prompt asking the user to unlock the security key." lightbox="images/security-key-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  5. You're signed in to the website or app
+
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+
+---
+
+### Manage passkeys
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Settings app to view and manage passkeys saved for apps or websites. Go to **Settings > Accounts > Passkeys**, or use the following shortcut:
+
+> [!div class="nextstepaction"]
+>
+> [Manage passkeys][MSS-1]
+
+- A list of saved passkeys is displayed and you can filter them by name
+- To delete a passkey, select **... > Delete passkey** next to the passkey name
+
+:::image type="content" source="images/delete-passkey.png" alt-text="Screenshot of the Settings app showing the delete option for a passkey." lightbox="images/delete-passkey.png" border="false":::
+
+> [!NOTE]
+> Some passkeys for *login.microsoft.com* can't be deleted, as they're used with Microsoft Entra ID and/or Microsoft Account for signing in to the device and Microsoft services.
+
+## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
+
+<!--links used in this document-->
+
+[FHUB]: feedback-hub:?tabid=2&newFeedback=true
+[KB-1]: https://support.microsoft.com/kb/5030310
+[MSS-1]: ms-settings:savedpasskeys
diff --git a/windows/security/identity-protection/passwordless-experience/images/edge-on.png b/windows/security/identity-protection/passwordless-experience/images/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/edge-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
@@ -0,0 +1,11 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0H18.1835C19.1859 0 20 0.814095 20 1.81653V18.1835C20 19.1859 19.1859 20 18.1835 20H1.81653C0.814095 20 0 19.1859 0 18.1835V1.81653C0 0.814095 0.814095 0 1.81653 0Z" fill="#605E5C"/>
+<g clip-path="url(#clip0_111_2097)">
+<path d="M11.027 8.93146C10.9795 9.21812 11.061 9.51843 11.2714 9.73002L14.4419 12.9174C14.5641 13.0403 14.6252 13.1973 14.6252 13.3679V14.4736C14.6252 14.5418 14.5709 14.6033 14.4962 14.6033H13.2267C13.1588 14.6033 13.0977 14.5487 13.0977 14.4736V13.7092C13.0977 13.3542 12.8125 13.0676 12.4595 13.0676H11.5702V12.1735C11.5702 11.8186 11.285 11.5319 10.932 11.5319H10.0426V11.1497C10.0426 11.02 9.98153 10.904 9.8729 10.8289C9.76428 10.7606 9.6285 10.747 9.51309 10.7948C9.19401 10.9313 8.84098 11.02 8.49474 11.02C7.08263 11.02 5.9285 9.86652 5.9285 8.44004C5.9285 7.01355 7.06905 5.91468 8.49474 5.91468C9.92043 5.91468 11.061 7.06815 11.061 8.49464C11.061 8.63115 11.0406 8.76765 11.0135 8.92463L11.027 8.93146ZM5.17493 8.45369C5.17493 10.2965 6.6685 11.7981 8.50153 11.7981C8.77309 11.7981 9.03786 11.7571 9.28905 11.6957C9.30263 12.037 9.58098 12.31 9.92043 12.31H10.8098V13.2041C10.8098 13.559 11.0949 13.8457 11.4479 13.8457H12.3373V14.4872C12.3373 14.9787 12.7379 15.3814 13.2267 15.3814H14.4962C14.985 15.3814 15.3856 14.9787 15.3856 14.4872V13.3815C15.3856 13.0062 15.2362 12.6512 14.9782 12.3919L11.8078 9.20447C11.8078 9.20447 11.7602 9.12939 11.7738 9.08162C11.8078 8.90416 11.8281 8.71305 11.8281 8.51512C11.8281 6.65864 10.3413 5.15707 8.50153 5.15707C6.66171 5.15707 5.17493 6.59721 5.17493 8.45369ZM7.74116 7.04768C8.09419 7.04768 8.37933 7.33434 8.37933 7.68926C8.37933 8.04417 8.09419 8.33083 7.74116 8.33083C7.38814 8.33083 7.103 8.04417 7.103 7.68926C7.103 7.33434 7.38814 7.04768 7.74116 7.04768Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_111_2097">
+<rect width="10.2106" height="10.2106" fill="white" transform="translate(5.17493 5.15707)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-off.png b/windows/security/identity-protection/passwordless-experience/images/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-on.png b/windows/security/identity-protection/passwordless-experience/images/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
new file mode 100644
index 0000000000..7ea73c4603
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -0,0 +1,143 @@
+---
+title: Windows passwordless experience
+description: Learn how Windows passwordless experience enables your organization to move away from passwords.
+ms.collection: 
+  - highpri
+  - tier1
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Windows passwordless experience
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows passwordless experience* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
+
+With Windows passwordless experience, users who sign in with Windows Hello or a FIDO2 security key:
+
+- Can't use the password credential provider on the Windows lock screen
+- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
+- Don't have the option *Accounts > Change password* in the Settings app
+  
+  >[!NOTE]
+  >Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account**
+
+Windows passwordless experience doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
+The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows passwordless experience isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
+
+This article explains how to enable Windows passwordless experience and describes the user experiences.
+
+>[!TIP]
+> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
+
+## System requirements
+
+Windows passwordless experience has the following requirements:
+
+- Windows 11, version 22H2 with [KB5030310][KB-1] or later
+- Microsoft Entra joined
+- Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key
+- MDM-managed: Microsoft Intune or other MDM solution
+
+>[!NOTE]
+>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
+
+[!INCLUDE [windows-passwordless-experience](../../../../includes/licensing/windows-passwordless-experience.md)]
+
+## Enable Windows passwordless experience with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Authentication** | Enable Passwordless Experience | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience`<br>- **Data type:** int<br>- **Value:** `1`|
+
+## User experiences
+
+### Lock screen experience
+
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider  :::image type="icon" source="images/key-credential-provider.svg" border="false"::: in the Windows lock screen.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/lock-screen-off.png" lightbox="images/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers.":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/lock-screen-on.png" lightbox="images/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing.":::
+  :::column-end:::
+:::row-end:::
+
+### In-session authentication experiences
+
+When Windows passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
+
+- Password Manager in a web browser
+- Connecting to file shares or intranet sites
+- User Account Control (UAC) elevation, except if a local user account is used for elevation
+
+>[!NOTE]
+> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
+>
+> *Run as different user* is not impacted by Windows passwordless experience.
+
+Example of UAC elevation experience:
+
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/uac-off.png" lightbox="images/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields.":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/uac-on.png" lightbox="images/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only.":::
+  :::column-end:::
+:::row-end:::
+
+## Recommendations
+
+Here's a list of recommendations to consider before enabling Windows passwordless experience:
+
+- If Windows Hello for Business is enabled, configure the [PIN reset](../hello-for-business/hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1]
+- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows passwordless experience from working
+- Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are:
+  - The Exclude credential providers policy disables passwords for *all accounts*, including local accounts. Windows passwordless experience only applies to Microsoft Entra accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes *Other User* from the policy, so users have a backup sign in option
+  - Exclude credential providers policy prevents the use of passwords for RDP and *Run as* authentication scenarios
+- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1]
+
+## Known issues
+
+There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, where security keys aren't always an available option. The product group is aware of this behavior and plans to improve this in the future.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Windows passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+<!--links used in this document-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-2]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[SERV-1]: /windows-server/identity/laps/laps-overview
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 7351dd93ae..5c99653fe4 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -211,8 +211,8 @@ For more information about LAPS, see [What is Windows LAPS][LEARN-1].
 Here are some additional considerations for Remote Credential Guard:
 
 - Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
-- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Azure Active Directory (Azure AD)
-- Remote Credential Guard can be used from an Azure AD joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
+- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Microsoft Entra ID
+- Remote Credential Guard can be used from a Microsoft Entra joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
 - Remote Credential Guard only works with the RDP protocol
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
 - The server and client must authenticate using Kerberos
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index f3f0e7de99..81d22a9785 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -411,7 +411,7 @@ The following smart card-related Group Policy settings are in Computer Configura
 
 | Group Policy setting and registry key    |  Default   | Description   |
 |------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card<br><br>**scforceoption**   |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can sign in to the computer only by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.         |
+| Interactive logon: Require smart card<br><br>**scforceoption**   |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can sign in to the computer only by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.<br><br>NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).<br>         |
 | Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services.  |
 
 From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 2b006e3ca0..5762bfaf81 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -3,16 +3,18 @@ items:
     href: index.md
   - name: Passwordless sign-in
     items:
-    - name: Windows Hello for Business 🔗
-      href: hello-for-business/index.md
+    - name: Passwordless strategy
+      href: hello-for-business/passwordless-strategy.md
+    - name: Windows Hello for Business
+      href: hello-for-business/toc.yml
     - name: Windows presence sensing
       href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
-    - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
-      href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
-    - name: FIDO 2 security key 🔗
+    - name: FIDO2 security key 🔗
       href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
-    - name: Federated sign-in 🔗
-      href: /education/windows/federated-sign-in
+    - name: Windows passwordless experience
+      href: passwordless-experience/index.md
+    - name: Passkeys
+      href: passkeys/index.md
     - name: Smart Cards
       href: smart-cards/toc.yml
     - name: Virtual smart cards
@@ -20,6 +22,10 @@ items:
       displayName: VSC
     - name: Enterprise Certificate Pinning
       href: enterprise-certificate-pinning.md
+  - name: Web sign-in
+    href: web-sign-in/index.md
+  - name: Federated sign-in 🔗
+    href: /education/windows/federated-sign-in
   - name: Advanced credential protection
     items:
     - name: Windows LAPS (Local Administrator Password Solution) 🔗
diff --git a/windows/security/identity-protection/web-sign-in/images/lock-screen.png b/windows/security/identity-protection/web-sign-in/images/lock-screen.png
new file mode 100644
index 0000000000..dfe0a0687e
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/lock-screen.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif
new file mode 100644
index 0000000000..499f39dbb5
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png
new file mode 100644
index 0000000000..be213d4500
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
new file mode 100644
index 0000000000..1afb38e115
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
@@ -0,0 +1,4 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0.5H18.1835C18.9098 0.5 19.5 1.09024 19.5 1.81653V18.1835C19.5 18.9098 18.9098 19.5 18.1835 19.5H1.81653C1.09024 19.5 0.5 18.9098 0.5 18.1835V1.81653C0.5 1.09024 1.09024 0.5 1.81653 0.5Z" fill="#464646" stroke="#C4C4C4"/>
+<path d="M10 4.33337C10.5508 4.33337 11.082 4.40564 11.5937 4.55017C12.1055 4.6908 12.584 4.89197 13.0293 5.15369C13.4746 5.4115 13.8789 5.724 14.2422 6.09119C14.6094 6.45447 14.9219 6.85876 15.1797 7.30408C15.4414 7.74939 15.6426 8.22791 15.7832 8.73962C15.9277 9.25134 16 9.78259 16 10.3334C16 10.8842 15.9277 11.4154 15.7832 11.9271C15.6426 12.4388 15.4414 12.9174 15.1797 13.3627C14.9219 13.808 14.6094 14.2142 14.2422 14.5814C13.8789 14.9447 13.4746 15.2572 13.0293 15.5189C12.584 15.7767 12.1055 15.9779 11.5937 16.1224C11.082 16.2631 10.5508 16.3334 10 16.3334C9.44922 16.3334 8.91797 16.2631 8.40625 16.1224C7.89453 15.9779 7.41601 15.7767 6.9707 15.5189C6.52539 15.2572 6.11914 14.9447 5.75195 14.5814C5.38867 14.2142 5.07617 13.808 4.81445 13.3627C4.55664 12.9174 4.35547 12.4408 4.21094 11.933C4.07031 11.4213 4 10.8881 4 10.3334C4 9.78259 4.07031 9.25134 4.21094 8.73962C4.35547 8.22791 4.55664 7.74939 4.81445 7.30408C5.07617 6.85876 5.38867 6.45447 5.75195 6.09119C6.11914 5.724 6.52539 5.4115 6.9707 5.15369C7.41601 4.89197 7.89258 4.6908 8.40039 4.55017C8.91211 4.40564 9.44531 4.33337 10 4.33337ZM14.7402 8.08337C14.5918 7.76697 14.4121 7.47009 14.2012 7.19275C13.9902 6.9115 13.7559 6.65564 13.498 6.42517C13.2402 6.1947 12.9609 5.98962 12.6602 5.80994C12.3594 5.63025 12.0449 5.48376 11.7168 5.37048C11.8574 5.5658 11.9844 5.77283 12.0977 5.99158C12.2109 6.21033 12.3105 6.43689 12.3965 6.67126C12.4863 6.90173 12.5625 7.13611 12.625 7.37439C12.6875 7.61267 12.7422 7.849 12.7891 8.08337H14.7402ZM15.25 10.3334C15.25 9.81384 15.1777 9.31384 15.0332 8.83337H12.9062C12.9375 9.08337 12.9609 9.33337 12.9766 9.58337C12.9922 9.82947 13 10.0795 13 10.3334C13 10.5873 12.9922 10.8392 12.9766 11.0892C12.9609 11.3353 12.9375 11.5834 12.9062 11.8334H15.0332C15.1777 11.3529 15.25 10.8529 15.25 10.3334ZM10 15.5834C10.1914 15.5834 10.3691 15.5306 10.5332 15.4252C10.7012 15.3197 10.8555 15.181 10.9961 15.0092C11.1367 14.8373 11.2617 14.6439 11.3711 14.4291C11.4844 14.2103 11.584 13.9896 11.6699 13.767C11.7559 13.5443 11.8281 13.3295 11.8867 13.1224C11.9453 12.9154 11.9902 12.7357 12.0215 12.5834H7.97851C8.00976 12.7357 8.05469 12.9154 8.11328 13.1224C8.17187 13.3295 8.24414 13.5443 8.33008 13.767C8.41601 13.9896 8.51367 14.2103 8.62305 14.4291C8.73633 14.6439 8.86328 14.8373 9.0039 15.0092C9.14453 15.181 9.29687 15.3197 9.46094 15.4252C9.6289 15.5306 9.80859 15.5834 10 15.5834ZM12.1504 11.8334C12.1816 11.5834 12.2051 11.3353 12.2207 11.0892C12.2402 10.8392 12.25 10.5873 12.25 10.3334C12.25 10.0795 12.2402 9.82947 12.2207 9.58337C12.2051 9.33337 12.1816 9.08337 12.1504 8.83337H7.84961C7.81836 9.08337 7.79297 9.33337 7.77344 9.58337C7.75781 9.82947 7.75 10.0795 7.75 10.3334C7.75 10.5873 7.75781 10.8392 7.77344 11.0892C7.79297 11.3353 7.81836 11.5834 7.84961 11.8334H12.1504ZM4.75 10.3334C4.75 10.8529 4.82226 11.3529 4.9668 11.8334H7.09375C7.0625 11.5834 7.03906 11.3353 7.02344 11.0892C7.00781 10.8392 7 10.5873 7 10.3334C7 10.0795 7.00781 9.82947 7.02344 9.58337C7.03906 9.33337 7.0625 9.08337 7.09375 8.83337H4.9668C4.82226 9.31384 4.75 9.81384 4.75 10.3334ZM10 5.08337C9.80859 5.08337 9.6289 5.13611 9.46094 5.24158C9.29687 5.34705 9.14453 5.48572 9.0039 5.65759C8.86328 5.82947 8.73633 6.02478 8.62305 6.24353C8.51367 6.45837 8.41601 6.67712 8.33008 6.89978C8.24414 7.12244 8.17187 7.33728 8.11328 7.54431C8.05469 7.75134 8.00976 7.93103 7.97851 8.08337H12.0215C11.9902 7.93103 11.9453 7.75134 11.8867 7.54431C11.8281 7.33728 11.7559 7.12244 11.6699 6.89978C11.584 6.67712 11.4844 6.45837 11.3711 6.24353C11.2617 6.02478 11.1367 5.82947 10.9961 5.65759C10.8555 5.48572 10.7012 5.34705 10.5332 5.24158C10.3691 5.13611 10.1914 5.08337 10 5.08337ZM8.2832 5.37048C7.95508 5.48376 7.64062 5.63025 7.33984 5.80994C7.03906 5.98962 6.75976 6.1947 6.50195 6.42517C6.24414 6.65564 6.00976 6.9115 5.79883 7.19275C5.58789 7.47009 5.4082 7.76697 5.25976 8.08337H7.21094C7.25781 7.849 7.3125 7.61267 7.375 7.37439C7.4375 7.13611 7.51172 6.90173 7.59765 6.67126C7.6875 6.43689 7.78906 6.21033 7.90234 5.99158C8.01562 5.77283 8.14258 5.5658 8.2832 5.37048ZM5.25976 12.5834C5.4082 12.8998 5.58789 13.1986 5.79883 13.4799C6.00976 13.7572 6.24414 14.0111 6.50195 14.2416C6.75976 14.472 7.03906 14.6771 7.33984 14.8568C7.64062 15.0365 7.95508 15.183 8.2832 15.2963C8.14258 15.101 8.01562 14.8939 7.90234 14.6752C7.78906 14.4564 7.6875 14.2318 7.59765 14.0013C7.51172 13.767 7.4375 13.5306 7.375 13.2924C7.3125 13.0541 7.25781 12.8177 7.21094 12.5834H5.25976ZM11.7168 15.2963C12.0449 15.183 12.3594 15.0365 12.6602 14.8568C12.9609 14.6771 13.2402 14.472 13.498 14.2416C13.7559 14.0111 13.9902 13.7572 14.2012 13.4799C14.4121 13.1986 14.5918 12.8998 14.7402 12.5834H12.7891C12.7422 12.8177 12.6875 13.0541 12.625 13.2924C12.5625 13.5306 12.4863 13.767 12.3965 14.0013C12.3105 14.2318 12.2109 14.4564 12.0977 14.6752C11.9844 14.8939 11.8574 15.101 11.7168 15.2963Z" fill="white"/>
+</svg>
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif
new file mode 100644
index 0000000000..403c7fb609
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png
new file mode 100644
index 0000000000..f22395fbd7
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif
new file mode 100644
index 0000000000..9ae9f3c92f
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png
new file mode 100644
index 0000000000..e3b341d814
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png
new file mode 100644
index 0000000000..01d91be145
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif
new file mode 100644
index 0000000000..b677b87480
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png
new file mode 100644
index 0000000000..18c20dd4fd
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png differ
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
new file mode 100644
index 0000000000..f13acff6dd
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -0,0 +1,172 @@
+---
+title: Web sign-in for Windows
+description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Web sign-in for Windows
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
+This feature is called *Web sign-in*.
+
+Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\
+For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity.
+
+This article describes how to configure Web sign-in and the supported key scenarios.
+
+## System requirements
+
+To use web sign-in, the clients must meet the following prerequisites:
+
+- Windows 11, version 22H2 with [5030310][KB-1], or later
+- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join)
+- Must have Internet connectivity, as the authentication is done over the Internet
+
+[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
+
+## Configure web sign-in
+
+To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Authentication | Enable Web Sign In | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a list of domains required for sign in, for example:<br>- `idp.example.com`<br>- `example.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, for example: `example.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
+
+| OMA-URI | More information |
+|-|-|
+| `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`| [EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin) |
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`|[ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#configurewebsigninallowedurls)|
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`|[ConfigureWebcamAccessDomainNames](/windows/client-management/mdm/policy-csp-authentication#configurewebcamaccessdomainnames)|
+
+#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
+
+| Path | Setting name | Value |
+|--|--|--|
+| `Policies/Authentication` | `EnableWebSignIn` | Enabled |
+| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains required for sign in, for example: `idp.example.com;example.com` |
+| `Policies/Authentication` | `ConfigureWebCamAccessDomainNames` | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
+
+[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
+
+---
+
+## User experiences
+
+Once the devices are configured, a new sign-in experience becomes available, as indicated by the presence of the Web sign-in credential provider :::image type="icon" source="images/web-sign-in-credential-provider.svg" border="false"::: in the Windows lock screen.
+
+:::image type="content" source="images/lock-screen.png" border="false" lightbox="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the Web sign-in credential provider.":::
+
+Here's a list of key scenarios supported by Web sign-in, and a brief animation showing the user experience. Select the thumbnail to start the animation.
+
+### Passwordless sign-in
+:::row:::
+  :::column span="3":::
+  Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator app as a sign-in method.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-authenticator.png" border="false" lightbox="images/web-sign-in-authenticator.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
+  :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> When used in conjuction with *Windows Hello for Business passwordless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
+
+To learn more:
+- [Enable passwordless sign-in with Microsoft Authenticator][AAD-1]
+- [Passwordless authentication options for Microsoft Entra ID][AAD-2]
+- [Windows passwordless experience](../passwordless-experience/index.md)
+
+### Windows Hello for Business PIN reset
+
+:::row:::
+  :::column span="3":::
+  The Windows Hello PIN reset flow is seamless and more robust than in previous versions.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-pin-reset.png" border="false" lightbox="images/web-sign-in-pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
+  :::column-end:::
+:::row-end:::
+
+For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
+
+### Temporary Access Pass (TAP)
+
+:::row:::
+  :::column span="3":::
+  A Temporary Access Pass (TAP) is a time-limited passcode granted by an administrator to a user. Users can sign in with a TAP using the Web sign-in credential provider. For example:
+
+  - to onboard Windows Hello for Business or a FIDO2 security key
+  - if lost or forgotten FIDO2 security key and unknown password
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-tap.png" border="false" lightbox="images/web-sign-in-tap.gif" alt-text="Animation of the TAP sign in experience.":::
+  :::column-end:::
+:::row-end:::
+
+For more information, see [Use a Temporary Access Pass][AAD-3].
+
+### Sign in with a federated identity
+
+:::row:::
+  :::column span="3":::
+  If the Microsoft Entra tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-federated-auth.png" border="false" lightbox="images/web-sign-in-federated-auth.gif" alt-text="Animation of the sign in experience with a federated user.":::
+  :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> To improve the user experience for federated identities:
+>
+> - Configure the *preferred Microsoft Entra tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page.
+> - Enable Windows Hello for Business. Once the user signs in, the user can enroll in Windows Hello for Business and then use it to sign in to the device
+
+For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-1].
+
+## Important considerations
+
+Here's a list of important considerations to keep in mind when configuring or using Web sign-in:
+
+- Cached credentials aren't supported with Web sign-in. If the device is offline, the user can't use the Web sign-in credential provider to sign in
+- After sign out, the user isn't displayed in the user selection list
+- Once enabled, the Web sign-in credential provider is the default credential provider for new users signing in to the device. To change the default credential provider, you can use the [DefaultCredentialProvider][WIN-2] ADMX-backed policy
+- The user can exit the Web sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the Windows lock screen
+
+### Known issues
+
+- If you attempt to sign in while the device is offline, you get the following message: *It doesn't look that you're connected to the Internet. Check your connection and try again*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the lock screen.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for web sign-in, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+<!--links-->
+
+[AAD-1]: /azure/active-directory/authentication/howto-authentication-passwordless-phone
+[AAD-2]: /azure/active-directory/authentication/concept-authentication-passwordless
+[AAD-3]: /azure/active-directory/authentication/howto-authentication-temporary-access-pass
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[WIN-1]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
+[WIN-2]: /windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider
diff --git a/windows/security/images/icons/feedback.svg b/windows/security/images/icons/feedback.svg
new file mode 100644
index 0000000000..2ecd143695
--- /dev/null
+++ b/windows/security/images/icons/feedback.svg
@@ -0,0 +1,3 @@
+<svg width="42" height="40" viewBox="0 0 42 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M27.27 21C27.03 21 26.78 20.96 26.54 20.88C25.6 20.57 25 19.73 25 18.75V15.94C22.74 15.58 21 13.61 21 11.25V4.75C21 2.13 23.13 0 25.75 0H37.25C39.87 0 42 2.13 42 4.75V11.25C42 13.87 39.87 16 37.25 16H32.13L29.05 20.1C28.61 20.68 27.96 21 27.27 21ZM13 23.5C8.86 23.5 5.5 20.14 5.5 16C5.5 11.86 8.86 8.5 13 8.5C17.14 8.5 20.5 11.86 20.5 16C20.5 20.14 17.14 23.5 13 23.5ZM0 30.79C0 30.88 0.15 40 13 40C25.85 40 26 30.88 26 30.79V29.75C26 27.68 24.32 26 22.25 26H3.75C1.68 26 0 27.68 0 29.75V30.79Z" fill="#0078D4"/>
+</svg>
diff --git a/windows/security/images/icons/key.svg b/windows/security/images/icons/key.svg
new file mode 100644
index 0000000000..c9df33c18f
--- /dev/null
+++ b/windows/security/images/icons/key.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
+  <path d="M2048 1573v475h-512v-256h-256v-256h-256v-207q-74 39-155 59t-165 20q-97 0-187-25t-168-71-142-110-111-143-71-168T0 704q0-97 25-187t71-168 110-142T349 96t168-71T704 0q97 0 187 25t168 71 142 110 111 143 71 168 25 187q0 51-8 101t-23 98l671 670zM512 704q40 0 75-15t61-41 41-61 15-75q0-40-15-75t-41-61-61-41-75-15q-40 0-75 15t-61 41-41 61-15 75q0 40 15 75t41 61 61 41 75 15z"  fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/windows/security/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
index 34f9e6a785..8b6b510ef4 100644
--- a/windows/security/includes/sections/application.md
+++ b/windows/security/includes/sections/application.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -10,17 +10,17 @@ ms.topic: include
 | Feature name | Description |
 |:---|:---|
 | **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
-| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** |  |
 | **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)** |  |
 | **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
 
 ## Application isolation
 
 | Feature name | Description |
 |:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
 | **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
 | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
 | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
index 07fc5b88b5..efde3a725d 100644
--- a/windows/security/includes/sections/cloud-services.md
+++ b/windows/security/includes/sections/cloud-services.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,10 +9,10 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)** | Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
 | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
 | **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.<br><br>IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.<br><br>To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
 | **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
 | **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. <br><br>The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors.  |
-| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
+| **[Windows Autopilot](/autopilot/)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
index 11a4f97b60..fa6c065293 100644
--- a/windows/security/includes/sections/hardware.md
+++ b/windows/security/includes/sections/hardware.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -20,7 +20,7 @@ ms.topic: include
 | **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
 
 ## Secured-core PC
 
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index 191dfb47cb..5a643de599 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,20 +9,23 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
-| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
 | **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
+| **[Passkeys](/windows/security/identity-protection/passkeys)** | Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster, secure, and more convenient. |
+| **[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
 | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
 
 ## Advanced credential protection
 
 | Feature name | Description |
 |:---|:---|
-| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
 | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
-| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
 | **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Credential Guard](/windows/security/identity-protection/credential-guard)** | Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Credential Guard](/windows/security/identity-protection/credential-guard/)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
 | **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
index 3a748fac25..4a4ee4acf2 100644
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,10 +9,11 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
 | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
 | **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
 
 ## Virus and threat protection
 
@@ -24,20 +25,21 @@ ms.topic: include
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
 | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
 | **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
 
 ## Network security
 
 | Feature name | Description |
 |:---|:---|
-| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.<br><br>In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
 | **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
 | **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
 | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
-| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
-| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
+| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
 | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
 | **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
 | **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
@@ -46,8 +48,8 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD.  |
-| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
-| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
-| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID.  |
+| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
index 61eb75d6e8..7a85af0543 100644
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -11,14 +11,14 @@ ms.topic: include
 |:---|:---|
 | **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
 | **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.  |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows.  |
+| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows.  |
 
 ## Certification
 
 | Feature name | Description |
 |:---|:---|
-| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
-| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
+| **[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
 
 ## Secure supply chain
 
@@ -26,4 +26,4 @@ ms.topic: include
 |:---|:---|
 | **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
 | **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune. <br><br>To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps. <br><br>Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets.  |
-| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
+| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.  |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 963c96d66e..40983d837f 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -14,7 +14,7 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 08/11/2023
+  ms.date: 09/18/2023
 
 highlightedContent:
   items:
@@ -73,14 +73,14 @@ productDirectory:
       links:
         - url: /windows/security/identity-protection/hello-for-business
           text: Windows Hello for Business
-        - url: /windows/security/identity-protection/credential-guard
-          text: Credential Guard
-        - url: /windows-server/identity/laps/laps-overview
-          text: Windows LAPS (Local Administrator Password Solution)
+        - url: /windows/security/identity-protection/passwordless-experience
+          text: Windows passwordless experience
+        - url: /windows/security/identity-protection/web-sign-in
+          text: Web sign-in for Windows
+        - url: /windows/security/identity-protection/passkeys
+          text: Support for passkeys in Windows
         - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
           text: Enhanced phishing protection with SmartScreen
-        - url: /education/windows/federated-sign-in
-          text: Federated sign-in (EDU)
         - url: /windows/security/identity-protection
           text: Learn more about identity protection >
 
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 303f8c3057..d730747292 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -122,18 +122,18 @@ It's possible that you might revoke data from an unenrolled device only to later
 ## Auto-recovery of encryption keys
 Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
 
-To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity.
+To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Microsoft Entra identity.
 
-The employee experience is based on signing in with an Azure AD work account. The employee can either:
+The employee experience is based on signing in with a Microsoft Entra ID work account. The employee can either:
 
 - Add a work account through the **Windows Settings > Accounts > Access work or school > Connect** menu.
 
     -OR-
 
-- Open **Windows Settings > Accounts > Access work or school > Connect** and choose the **Join this device to Azure Active Directory** link, under **Alternate actions**.
+- Open **Windows Settings > Accounts > Access work or school > Connect** and choose the **Join this device to Microsoft Entra ID** link, under **Alternate actions**.
 
     >[!Note]
-    >To perform an Azure AD Domain Join from the Settings page, the employee must have administrator privileges to the device.
+    >To perform a Microsoft Entra Domain Join from the Settings page, the employee must have administrator privileges to the device.
 
 After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again.
 
@@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
 
     The **Access work or school settings** page appears.
 
-3. Sign-in to Azure AD as the employee and verify that the files now open
+3. Sign-in to Microsoft Entra ID as the employee and verify that the files now open
 
 ## Related topics
 
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 709de2a54d..c3badb03b9 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -52,7 +52,7 @@ After you've created your VPN policy, you'll need to deploy it to the same group
 
 1.  On the **App policy** blade, select your newly created policy, select **User groups** from the menu that appears, and then select **Add user group**.
 
-    A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
+    A list of user groups, made up of all of the security groups in your Microsoft Entra ID, appear in the **Add user group** blade.
 
 2. Choose the group you want your policy to apply to, and then select **Select** to deploy the policy.
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 6cb50dc76b..c73eda005f 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -27,23 +27,23 @@ You can create an app protection policy in Intune either with device enrollment
 
 - MAM has more **Access** settings for Windows Hello for Business.
 - MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
-- MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
-- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
+- MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
+- A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
 - MAM supports only one user per device.  
 - MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
 - Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
-- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Microsoft Entra ID. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
 
 ## Prerequisites
 
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
+Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Microsoft Entra ID. MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
 
 ## Configure the MDM or MAM provider
 
 1. Sign in to the Azure portal.
 
-2. Select **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
+2. Select **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
 
 3. Select **Restore Default URLs** or enter the settings for MDM or MAM user scope and select **Save**:
 
@@ -431,7 +431,7 @@ For example:
 URL <,proxy>|URL <,proxy>|/*AppCompat*/
 ```
 
-When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
+When you use this string, we recommend that you also turn on [Microsoft Entra Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
 
 Value format with proxy:
 
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
index 69e2193bf2..92105b512d 100644
--- a/windows/security/introduction.md
+++ b/windows/security/introduction.md
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
 1. When verified, give people and devices access to only necessary resources for the necessary amount of time
 1. Use continuous analytics to drive threat detection and improve defenses
 
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Microsoft Entra ID, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 ### Security, by default
 
@@ -49,7 +49,7 @@ Passwords have been an important part of digital security for a long time, and t
 
 ### Connecting to cloud services
 
-Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Azure Active Directory and Microsoft Azure Attestation to control access to applications and data through the cloud.
+Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Microsoft Entra ID and Microsoft Azure Attestation to control access to applications and data through the cloud.
 
 ## Next steps
 
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
index 52cc2816b8..16a611c770 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
@@ -59,7 +59,7 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen
 
     The recovery key can be stored using the following methods:
 
-   - **Save to your Azure AD account** (if applicable)
+   - **Save to your Microsoft Entra account** (if applicable)
    - **Save to a USB flash drive**
    - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
    - **Print the recovery key**
@@ -126,7 +126,7 @@ Encrypting data volumes using the BitLocker control panel works in a similar fas
 
 3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
 
-   - **Save to your Azure AD account** (if applicable)
+   - **Save to your Microsoft Entra account** (if applicable)
    - **Save to a USB flash drive**
    - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
    - **Print the recovery key**
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
index 1654153fec..dd95d6dbc5 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -16,7 +16,7 @@ This article depicts the BitLocker deployment comparison chart.
 | *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
 | *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
 | *Minimum Windows version* | 1909 | None | None |
-| *Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
+| *Supported domain-joined status* | Microsoft Entra joined, Microsoft Entra hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined | Active Directory-joined |
 | *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
 | *Cloud or on premises* | Cloud | On premises | On premises |
 | Server components required? |  | ✅ | ✅ |
@@ -31,16 +31,16 @@ This article depicts the BitLocker deployment comparison chart.
 | *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
-| *Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
-| *Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
+| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database | MBAM database |
+| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Yes (Active Directory and Microsoft Entra ID) | Yes (Active Directory only) | Yes (Active Directory only) |
 | *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
 | *Allow/deny key file creation* | ✅ | ✅ | ✅ |
 | *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
 | *Can be administered outside company network* | ✅ | ✅ |  |
 | *Support for organization unique IDs* |  | ✅ | ✅ |
-| *Self-service recovery* | Yes (through Azure AD or Company Portal app) | ✅ | ✅ |
+| *Self-service recovery* | Yes (through Microsoft Entra ID or Company Portal app) | ✅ | ✅ |
 | *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
-| *Wait to complete encryption until recovery information is backed up to Azure AD* | ✅ |  |  |
+| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ |  |  |
 | *Wait to complete encryption until recovery information is backed up to Active Directory* |  | ✅ | ✅ |
 | *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
 | *Unlock a volume using certificate with custom object identifier* |  | ✅ | ✅ |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index d93426076e..7b8887a82c 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -67,7 +67,7 @@ Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabl
   
   With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
 
-- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
+- Similar to signing in with a domain account, the clear key is removed when the user signs in to a Microsoft Entra account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Microsoft Entra ID. Then, the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed.
 
 Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
 
@@ -160,4 +160,4 @@ Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administrat
 
 Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
 
-Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
+Enterprises not using Configuration Manager can use the built-in features of Microsoft Entra ID and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
index c88b6cde1e..e9c661179f 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -17,22 +17,24 @@ Though much Windows [BitLocker documentation](index.md) has been published, cust
 
 Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
 
-Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
+Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Microsoft Entra ID.
 
 > [!IMPORTANT]
 > Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
 
-## Managing devices joined to Azure Active Directory
+<a name='managing-devices-joined-to-azure-active-directory'></a>
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
+## Managing devices joined to Microsoft Entra ID
+
+Devices joined to Microsoft Entra ID are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
 
 Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Microsoft Entra ID. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Microsoft Entra ID. This process and feature is applicable to Azure Hybrid AD as well.
 
 ## Managing workplace-joined PCs and phones
 
-For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
+For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Microsoft Entra ID.
 
 ## Managing servers
 
@@ -47,9 +49,9 @@ If a server is being installed manually, such as a stand-alone server, then choo
 
 ## PowerShell examples
 
-For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD.  
+For Microsoft Entra joined computers, including virtual machines, the recovery password should be stored in Microsoft Entra ID.  
 
-**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+**Example**: *Use PowerShell to add a recovery password and back it up to Microsoft Entra ID before enabling BitLocker*
 
 ```powershell
 Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
index c934ae7570..a2bf3f755c 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -344,7 +344,7 @@ BitLocker metadata has been enhanced starting in Windows 10, version 1903, to in
 ![Customized BitLocker recovery screen.](images/bl-password-hint2.png)
 
 > [!IMPORTANT]
-> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
+> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Microsoft Entra ID and Microsoft account.
 
 There are rules governing which hint is shown during the recovery (in the order of processing):
 
@@ -356,7 +356,7 @@ There are rules governing which hint is shown during the recovery (in the order
 
 4. Prioritize keys with successful backup over keys that have never been backed up.
 
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
+5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Microsoft Entra ID > Active Directory**.
 
 6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
 
@@ -371,7 +371,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     Yes    |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     Yes    |
-|     Saved to Azure AD     |     No     |
+|     Saved to Microsoft Entra ID     |     No     |
 |     Saved to Active Directory      |     No     |
 |     Printed          |     No     |
 |     Saved to file    |     No     |
@@ -385,7 +385,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     Yes    |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     No     |
-|     Saved to Azure AD     |     No     |
+|     Saved to Microsoft Entra ID     |     No     |
 |     Saved to Active Directory      |     Yes    |
 |     Printed          |     No     |
 |     Saved to file    |     No     |
@@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No     |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     Yes    |
-|     Saved to Azure AD     |     Yes    |
+|     Saved to Microsoft Entra ID     |     Yes    |
 |     Saved to Active Directory      |     No     |
 |     Printed          |     Yes    |
 |     Saved to file    |     Yes    |
@@ -413,7 +413,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
-|     Saved to Azure AD     |     No          |
+|     Saved to Microsoft Entra ID     |     No          |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     Yes         |
@@ -426,7 +426,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
-|     Saved to Azure AD     |     No          |
+|     Saved to Microsoft Entra ID     |     No          |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
@@ -442,7 +442,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     Yes         |
-|     Saved to Azure AD     |     Yes         |
+|     Saved to Microsoft Entra ID     |     Yes         |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
@@ -452,7 +452,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No        |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
-|     Saved to Azure AD     |     Yes         |
+|     Saved to Microsoft Entra ID     |     Yes         |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index 9af21917f8..7f560a14b9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -473,4 +473,4 @@ sections:
       - question: |
           Can I use BitLocker with virtual machines (VMs)?
         answer: |
-          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Microsoft Entra joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 7a7277136f..dc6e715410 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -32,7 +32,7 @@ The following table lists the recommended settings to improve PDE's security.
 |Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
 |Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
 |Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
-|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
 
 ## Configure PDE with Microsoft Intune
 
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 0608ea1a7c..14df705407 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -25,7 +25,7 @@ Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release
 To use PDE, the following prerequisites must be met:
 
 - Windows 11, version 22H2 and later
-- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
+- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
 - Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
 
 > [!IMPORTANT]
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index ae9673a74d..f61993984e 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -74,8 +74,8 @@ If the credentials are certificate-based, then the elements in the following tab
 |------------------|---------------|
 | SubjectName | The user's distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
 | SubjectAlternativeName | The user's fully qualified UPN where a domain name component of the user's UPN matches the organizations internal domain's DNS namespace. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
-| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
-| EnhancedKeyUsage | One or more of the following EKUs is required: </br><ul><li>Client Authentication (for the VPN)</li><li>EAP Filtering OID (for Windows Hello for Business)</li><li>SmartCardLogon (for Azure AD-joined devices)</li></ul>If the domain controllers require smart card EKU either:<ul><li>SmartCardLogon</li><li>id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) </li></ul>Otherwise:</br><ul><li>TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)</li></ul> |
+| Key Storage Provider (KSP) | If the device is joined to Microsoft Entra ID, a discrete SSO certificate is used. |
+| EnhancedKeyUsage | One or more of the following EKUs is required: </br><ul><li>Client Authentication (for the VPN)</li><li>EAP Filtering OID (for Windows Hello for Business)</li><li>SmartCardLogon (for Microsoft Entra joined devices)</li></ul>If the domain controllers require smart card EKU either:<ul><li>SmartCardLogon</li><li>id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) </li></ul>Otherwise:</br><ul><li>TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)</li></ul> |
 
 ## NDES server configuration
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 26738c946b..2606196671 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,25 +1,25 @@
 ---
 title: VPN and conditional access
-description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
+description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
 ms.date: 08/03/2023
 ms.topic: conceptual
 ---
 
 # VPN and conditional access
 
-The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Microsoft Entra connected application.
 
 >[!NOTE]
->Conditional Access is an Azure AD Premium feature.
+>Conditional Access is a Microsoft Entra ID P1 or P2 feature.
 
 Conditional Access Platform components used for Device Compliance include the following cloud-based services:
 
 - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
-- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
+- [Microsoft Entra Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
 - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
-- Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA.
+- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
 - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
   - Antivirus status
   - Auto-update status and update compliance
@@ -35,12 +35,12 @@ The following client-side components are also required:
 
 ## VPN device compliance
 
-At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
 
 Server-side infrastructure requirements to support VPN device compliance include:
 
 - The VPN server should be configured for certificate authentication.
-- The VPN server should trust the tenant-specific Azure AD CA.
+- The VPN server should trust the tenant-specific Microsoft Entra CA.
 - For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO).
 
 After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
@@ -48,7 +48,7 @@ After the server side is set up, VPN admins can add the policy settings for cond
 Two client-side configuration service providers are leveraged for VPN device compliance.
 
 - VPNv2 CSP DeviceCompliance settings:
-  - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
+  - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Microsoft Entra ID.
   - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
   - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
   - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
@@ -71,20 +71,22 @@ The VPN client side connection flow works as follows:
 
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
 
-1. The VPN client calls into Windows 10's or Windows 11's Azure AD Token Broker, identifying itself as a VPN client.
-1. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
-1. If compliant, Azure AD requests a short-lived certificate.
-1. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
-1. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
+1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
+1. If compliant, Microsoft Entra ID requests a short-lived certificate.
+1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
+1. The VPN client uses the Microsoft Entra ID-issued certificate to authenticate with the VPN server.
 
 ## Configure conditional access
 
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
 
-## Learn more about Conditional Access and Azure AD Health
+<a name='learn-more-about-conditional-access-and-azure-ad-health'></a>
 
-- [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
-- [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
+## Learn more about Conditional Access and Microsoft Entra Health
+
+- [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview)
+- [Getting started with Microsoft Entra Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
 - [Control the health of Windows devices](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index cd91bd8540..f4b96d4267 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -23,7 +23,7 @@ To create a Windows VPN device configuration profile see: [Windows device settin
 | [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
 | [VPN routing decisions](vpn-routing.md)  | Choose between split tunnel and force tunnel configuration |
 | [VPN authentication options](vpn-authentication.md)  | Select a method for Extensible Authentication Protocol (EAP) authentication. |
-| [VPN and conditional access](vpn-conditional-access.md)  | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
+| [VPN and conditional access](vpn-conditional-access.md)  | Use Microsoft Entra policy evaluation to set access policies for VPN connections. |
 | [VPN name resolution](vpn-name-resolution.md)  | Decide how name resolution should work |
 | [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)  | Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks |
 | [VPN security features](vpn-security-features.md)  | Configure traffic filtering, connect a VPN profile to Windows Information Protection (WIP), and more |
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
index a61bf25eec..c0f7eb352f 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@@ -105,7 +105,7 @@ To determine why some applications are blocked from communicating in the network
 
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 
-![Windows Firewall prompt.](images/fw04-userquery.png)
+:::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png":::
 
 *Figure 4: Dialog box to allow access*
 
@@ -185,7 +185,7 @@ incoming connections, including those in the list of allowed apps** setting foun
 
 *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
 
-![Firewall cpl.](images/fw07-legacy.png)
+:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
 
 *Figure 7: Legacy firewall.cpl*
 
@@ -208,3 +208,24 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound
 ## Document your changes
 
 When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
+
+## Configure Windows Firewall rules with WDAC tagging policies
+
+Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: 
+
+### Step 1: Deploy WDAC AppId Tagging Policies
+
+A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.  
+
+Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications. 
+
+### Step 2: Configure Firewall Rules using PolicyAppId Tags
+
+- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
+You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. 
+
+OR
+
+- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `–PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported. 
+
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
index 2912122082..e60bc7b3ec 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
@@ -29,17 +29,66 @@ To complete these procedures, you must be a member of the Domain Administrators
 
     3.  The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
 
-        >**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
+        > [!IMPORTANT]
+        > The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
 
-    4.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
+    5.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
 
-    5.  No logging occurs until you set one of following two options:
+    6.  No logging occurs until you set one of following two options:
 
         -   To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
 
         -   To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
 
-    6.  Click **OK** twice.
+    7.  Click **OK** twice.
+
+### Troubleshoot if the log file is not created or modified
+
+Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
+
+- missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files
+- you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically
+- if firewall logging is configured via policy settings, it can happen that
+  - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
+  - the log folder in a custom path doesn't exist
+  In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc
+
+If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existent folder is configured via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC.  
+
+```PowerShell
+New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
+```
+
+Verify if MpsSvc has *FullControl* on the folder and the files.
+From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
+```
+
+The output should show `NT SERVICE\mpssvc` having *FullControl*:
+
+```PowerShell
+IdentityReference      FileSystemRights AccessControlType IsInherited InheritanceFlags
+-----------------      ---------------- ----------------- ----------- ----------------
+NT AUTHORITY\SYSTEM         FullControl             Allow       False    ObjectInherit
+BUILTIN\Administrators      FullControl             Allow       False    ObjectInherit
+NT SERVICE\mpssvc           FullControl             Allow       False    ObjectInherit
+```
+
+If not, add *FullControl* permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path.
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+$ACL = get-acl -Path $LogPath
+$ACL.SetAccessRuleProtection($true, $false)
+$RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow")
+$ACL.AddAccessRule($RULE)
+```
+
+Restart the device to restart the Windows Defender Firewall Service.
+
+### Troubleshoot Slow Log Ingestion
 
-### Troubleshooting Slow Log Ingestion
 If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. 
diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 65b3843328..90f2ed2f75 100644
--- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -83,11 +83,11 @@ This section is an overview that describes different parts of the end-to-end sec
 
 | Number | Part of the solution | Description |
 | - | - | - |
-| **1** | Windows-based device | The first time a Windows-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows-based device with TPM can report health status at any time by using the Health Attestation Service available with all supported editions of Windows.|
-| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
+| **1** | Windows-based device | The first time a Windows-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Microsoft Entra ID and enrolled in MDM.<br/>A Windows-based device with TPM can report health status at any time by using the Health Attestation Service available with all supported editions of Windows.|
+| **2** | Identity provider | Microsoft Entra ID contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Microsoft Entra ID is more than a repository. Microsoft Entra ID is able to authenticate users and devices and can also authorize access to managed resources. Microsoft Entra ID has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
 | **3**|Mobile device management| Windows has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows.|
 | **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
-| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
+| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Microsoft Entra ID, or even VPN access.|
 
 The combination of Windows-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
 
@@ -613,7 +613,7 @@ Windows has an MDM client that ships as part of the operating system. This MDM c
 
 ### Third-party MDM server support
 
-Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 > [!NOTE]
 > MDM servers do not need to create or download a client to manage Windows. For more information, see [Mobile device management](/windows/client-management/mdm/).
@@ -628,70 +628,70 @@ For more information on how to manage Windows security and system settings with
 
 ### Conditional access control
 
-On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload.
+On most platforms, the Microsoft Entra device registration happens automatically during enrollment. The device states are written by the MDM solution into Microsoft Entra ID, and then read by Office 365 (or by any authorized Windows app that interacts with Microsoft Entra ID) the next time the client tries to access an Office 365 compatible workload.
 
 If the device isn't registered, the user will get a message with instructions on how to register (also known as enrolling). If the device isn't compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it.
 
-**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
+**Microsoft Entra ID** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
 
 :::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
 
 ### Office 365 conditional access control
 
-Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
+Microsoft Entra ID enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
 target groups.
 
-When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
+When a user requests access to an Office 365 service from a supported device platform, Microsoft Entra authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
 
-When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
+When a user enrolls, the device is registered with Microsoft Entra ID, and enrolled with a compatible MDM solution like Intune.
 
 > [!NOTE]
-> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post.
+> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Microsoft Entra ID and Intune are explained in the [Windows, Microsoft Entra ID And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post.
 
-When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
+When a user enrolls a device successfully, the device becomes trusted. Microsoft Entra ID provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
 
 The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy isn't met at the time of request for renewal.
 
-Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
+Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Microsoft Entra ID, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
 
 :::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png":::
 
 Clients that attempt to access Office 365 will be evaluated for the following properties:
 
 - Is the device managed by an MDM?
-- Is the device registered with Azure AD?
+- Is the device registered with Microsoft Entra ID?
 - Is the device compliant?
 
 To get to a compliant state, the Windows-based device needs to:
 
 - Enroll with an MDM solution.
-- Register with Azure AD.
+- Register with Microsoft Entra ID.
 - Be compliant with the device policies set by the MDM solution.
 
 > [!NOTE]
-> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows - Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
+> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Microsoft Entra ID, Microsoft Intune and Windows - Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
 
 ### Cloud and on-premises apps conditional access control
 
-Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
+Conditional access control is a powerful policy evaluation engine built into Microsoft Entra ID. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
 
-IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
+IT pros can configure conditional access control policies for cloud SaaS applications secured by Microsoft Entra ID and even on-premises applications. Access rules in Microsoft Entra ID use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
 
 For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
 
 > [!NOTE]
-> Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+> Conditional access control is a Microsoft Entra ID P1 or P2 feature that's also available with EMS. If you don't have a Microsoft Entra ID P1 or P2 subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
 
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
-- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
-- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Microsoft Entra application proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Microsoft Entra application proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Microsoft Entra Connect will sync device compliance information from Microsoft Entra ID to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
 :::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
 
-The following process describes how Azure AD conditional access works:
+The following process describes how Microsoft Entra Conditional Access works:
 
-1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Microsoft Entra ID.
 2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
 3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
 4. User logs on and the MDM agent contacts the Intune/MDM server.
@@ -700,13 +700,13 @@ The following process describes how Azure AD conditional access works:
 7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
 8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
 9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
-10. Intune/MDM server updates compliance state against device object in Azure AD.
+10. Intune/MDM server updates compliance state against device object in Microsoft Entra ID.
 11. User opens app, attempts to access a corporate managed asset.
-12. Access gated by compliance claim in Azure AD.
+12. Access gated by compliance claim in Microsoft Entra ID.
 13. If the device is compliant and the user is authorized, an access token is generated.
 14. User can access the corporate managed asset.
 
-For more information about Azure AD join, see [Azure AD & Windows: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper.
+For more information about Microsoft Entra join, see [Microsoft Entra ID & Windows: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper.
 
 Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment.
 
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index a16db47b99..38961897cb 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
 description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 08/11/2023
+ms.date: 09/25/2023
 ms.topic: conceptual
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2</a>
@@ -13,9 +13,10 @@ Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft
 
 If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:
 
-- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
+- If users type or paste their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
 - Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password.
 - Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+- If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.
 
 > [!NOTE]
 > When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
@@ -68,10 +69,11 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
 
 | Setting                 | OMA-URI                                                                   | Data type |
 |-------------------------|---------------------------------------------------------------------------|-----------|
-| **ServiceEnabled**      | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled`      | Integer   |
+| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer |
 | **NotifyMalicious**     | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious`     | Integer   |
 | **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer   |
 | **NotifyUnsafeApp**     | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp`     | Integer   |
+| **ServiceEnabled**      | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled`      | Integer   |
 
 ---
 
@@ -80,7 +82,6 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
 By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
 
 To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
-
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
 |Settings catalog element|Recommendation|
@@ -108,15 +109,19 @@ To better help you protect your organization, we recommend turning on and using
 |NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
 |NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
 
+
 ---
 
 ## Related articles
 
-- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
 - [WebThreatDefense CSP][WIN-1]
 - [Threat protection](index.md)
 
 <!-- Links -->
 
 [WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
+
 [MEM-2]: /mem/intune/configuration/settings-catalog
+
+
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
index 64696d3e5d..65cc2e9e7d 100644
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@@ -51,7 +51,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
 
 3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
 
-4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
+4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
 
 5. The attestation service does the following tasks:
 
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 81cfb68761..d4c07f3415 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -37,7 +37,7 @@ Access and Remote Access permissions to users and groups. We recommend that you
 
 -   Blank
 
-    This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
+   This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. To set a blank value, select "Define this policy setting" and leave the Security descriptor empty, then select OK.
 
 -   *User-defined input* of the SDDL representation of the groups and privileges
 
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 87337b86b8..1e3180694c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -41,7 +41,7 @@ The **Maximum password age** policy setting determines the period of time (in da
 Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
 
 > [!NOTE]
-> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Azure AD Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
+> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Microsoft Entra Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index ce5adb5c59..abc5d527cd 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -41,7 +41,7 @@ This policy isn't configured by default on domain-joined devices. This disableme
 -   **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship by using online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the sign-in peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes.
 
     > [!NOTE]
-    > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
+    > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a Microsoft Entra hybrid joined server to a Microsoft Entra joined Windows 10 device or a Microsoft Entra hybrid joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
 
 -   **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
 
@@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This disableme
 
 ### Best practices
 
-Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments.
+Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Microsoft Entra joined environments.
 
 ### Location
 
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Azure AD-joined devices, where they're signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. 
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate. 
 
 ### Countermeasure
 
@@ -85,7 +85,7 @@ Set this policy to *Disabled* or don't configure this security policy for *on-pr
 
 If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This disablement is a valid configuration in *on-premises only* environments. Some roles/features (such as Failover Clustering) don't utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
 
-If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. If this policy isn't enabled, remote connections to an Azure AD joined device won't work.
+If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Microsoft Entra ID and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. If this policy isn't enabled, remote connections to a Microsoft Entra joined device won't work.
 
 ### Fix/Remediation
 
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2e144448b8..2bd556b46f 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,7 +11,7 @@
       href: windows-11-plan.md
     - name: Prepare for Windows 11
       href: windows-11-prepare.md
-    - name: Windows 11 temporary enterprise feature control
+    - name: Windows 11 enterprise feature control
       href: temporary-enterprise-feature-control.md      
     - name: What's new in Windows 11, version 22H2
       href: whats-new-windows-11-version-22h2.md
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 3943ef84fc..6b07079c0f 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -1,7 +1,7 @@
 ---
 title: Resources for deprecated features in the Windows client
 description: Resources and details for deprecated features in the Windows client.
-ms.date: 08/01/2023
+ms.date: 10/09/2023
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
@@ -21,6 +21,10 @@ appliesto:
 
 This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
 
+## VBScript
+
+VBScript will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before being retired in future Windows releases. Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript.
+ 
 ## TLS versions 1.0 and 1.1 disablement resources
 
 Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 are disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1.
@@ -69,11 +73,11 @@ Re-enabling TLS 1.0 or TLS 1.1 on machines should only be done as a last resort,
 
 The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters).  
 
-If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change will allow you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require additional assistance.
+If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change allows you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require more assistance.
 
 ### Redirected MSDT troubleshooters
 
-The following troubleshooters will automatically be redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**:
+The following troubleshooters are automatically redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**:
 
 - Background Intelligent Transfer Service (BITS)
 - Bluetooth
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index e13121f3d9..75c9ea7697 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
 ---
 title: Deprecated features in the Windows client
 description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 09/01/2023
+ms.date: 10/18/2023
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
@@ -36,6 +36,8 @@ The features in this article are no longer being actively developed, and might b
 
 |Feature    |  Details and mitigation  | Deprecation announced |
 | ----------- | --------------------- | ---- |
+| Timeline for Microsoft Entra accounts <!--8396095--> | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
+| VBScript <!--7954828--> | VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
 | WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt.  | September 1, 2023 |
 | AllJoyn |  Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity).  | August 17, 2023 |
 | TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| 
@@ -51,7 +53,7 @@ The features in this article are no longer being actively developed, and might b
 | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
 | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
 | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
-| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September, 2019 |
+| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September 2019 |
 | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
 | My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
 | Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. <br>&nbsp;<br>PSR was removed in Windows 11.| 1909 |
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 036ef0bfa2..ec64e498bc 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -59,7 +59,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index b20be1c0ab..65ebf38755 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -1,6 +1,6 @@
 ---
-title: Temporary enterprise feature control in Windows 11
-description: Learn about the Windows 11 features behind temporary enterprise feature control.
+title: Enterprise feature control in Windows 11
+description: Learn about the Windows 11 features behind temporary enterprise feature control and permanent feature control.
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.author: mstewart
@@ -8,7 +8,7 @@ author: mestew
 manager: aaroncz
 ms.localizationpriority: medium
 ms.topic: reference
-ms.date: 05/19/2023
+ms.date: 09/26/2023
 ms.collection:
   - highpri
   - tier2
@@ -16,21 +16,20 @@ appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 and later</a>
 ---
 
-# Temporary enterprise feature control in Windows 11
+# Enterprise feature control in Windows 11
 <!--7790977-->
-New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features might be:
+
+- Temporarily turned off by default using [temporary enterprise feature control](#temporary-enterprise-feature-control)
+- Controlled by a policy that allows for [permanent enterprise feature control](#permanent-enterprise-feature-control)
+
+Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. For example, a feature might be turned off by default if it requires a change in user behavior or if it requires IT administrators to take action before the feature can be used.
+
+## Temporary enterprise feature control
 
 Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.
 
-## Windows 11 features behind temporary enterprise feature control
-
-The following features are behind temporary enterprise control in Windows 11:
-
-| Feature | KB article where the feature was introduced | Feature update that ends temporary control |
-|---|---|---|
-| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update |
-
-## Enable features behind temporary enterprise feature control
+### Enable features behind temporary enterprise feature control
 
 Features that are behind temporary enterprise control will be enabled when one of the following conditions is met:
 
@@ -38,7 +37,7 @@ Features that are behind temporary enterprise control will be enabled when one o
 - The device receives a policy that enables features behind temporary enterprise control
   - When the policy is enabled, all features on the device behind temporary control are turned on when the device next restarts.
 
-## Policy settings for temporary enterprise feature control
+### Policy settings for temporary enterprise feature control
 
 You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
 
@@ -46,3 +45,33 @@ You can use a policy to enable features that are behind temporary enterprise fea
 
 - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
    - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
+
+### Windows 11 features behind temporary enterprise feature control
+
+The following features are behind temporary enterprise control in Windows 11:
+
+| Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes |
+|---|---|---|---|
+| Touch-optimized taskbar for 2-in-1 devices <!--8092554, WIP.25197--> | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** <!--8092554, WIP.25300-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.<!--8092554, WIP.23511 & WIP.25281, AllowWindowsSpotlight-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control: </br></br> **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight)</br> </br>**Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
+| Copilot in Windows <!--8092554, WIP.23493 -->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
+| Dev Home <!--8092554, WIP.23506-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
+|Dev Drive <!--8092554, WIP.23466-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section | 
+
+## Permanent enterprise feature control
+
+New features and enhancements used to be introduced only in feature updates. However, with continuous innovation for Windows 11, new features are introduced more frequently through the monthly cumulative update. Some new features can be controlled through policies that enable you to configure them for your organization. When a feature can be controlled by a policy, it has permanent enterprise feature control.
+
+### Windows 11 features with permanent enterprise feature control
+
+The following features introduced through the monthly cumulative updates allow permanent enterprise feature control:
+
+| Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy |
+|---|---|---|---|
+| Configure search on the taskbar <!--8092554, WIP.25252-->| [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) </br> </br>**Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
+| The **Recommended** section of the **Start Menu** displays personalized website recommendations <!--8092554, WIP.23475-->|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start)</br> </br>**Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
+| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. <!--8092554, DisableGraphRecentItems, WIP.23475, WIP.23403-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) </br> </br> **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** </br> </br> **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
+| Transfer files to another PC using WiFi direct<!--8092554, WIP.23506-->|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
+| Copilot in Windows <!--8092554, WIP.23493 --> | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) </br> </br> **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+|Dev Drive <!--8092554, WIP.23466-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: </br> - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) </br> - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) </br> </br> **Group Policies**:  </br> - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** </br> - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 6e9047c606..fb11714e70 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -19,7 +19,7 @@ appliesto:
 
 # Prepare for Windows 11
 
-Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
+Windows 10 and Windows 11 are designed to coexist so that you can use the same familiar tools and processes to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
 
 After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks.
 
@@ -32,7 +32,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil
 
 #### On-premises solutions
 
-- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new **Windows 11** product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
+- If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new Windows 11 product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
 
   > [!NOTE]
   > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
@@ -44,25 +44,25 @@ The tools that you use for core workloads during Windows 10 deployments can stil
 
 #### Cloud-based solutions
 
--	If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). 
+-	If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great for moving to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically move devices between products (Windows 10 to **Windows 11**). 
     - If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. 
     - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. 
 
     - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. 
     - For example, if a device is running <i>Windows 10, version 2004</i> and only the target version is configured to 21H1, this device will be offered version <i>Windows 10, version 21H1</i>, even if multiple products have a 21H1 version.
 - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11, which is true regardless of which management tool you use to configure Windows Update for Business policies.
-- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
+- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify **Windows 11**.
 
   > [!NOTE]
   > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. 
 
 ## Cloud-based management
 
-If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy.  
+If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives while protecting user privacy.  
 
-The following are some common use cases and the corresponding Microsoft Intune capabilities that support them: 
+The following are some common use cases and the corresponding [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) capabilities that support them: 
 
-- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is new feature that is available when you use in Windows Autopilot to deploy Windows 11.
+- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Professional to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is a new feature that is available when you use in Windows Autopilot to deploy Windows 11.
 - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. 
 - **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Intune. 
 
@@ -74,7 +74,7 @@ Every organization will transition to Windows 11 at its own pace. Microsoft is c
 
 When you think of operating system updates as an ongoing process, you'll automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. 
 
-Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: 
+Next, craft a deployment plan for **Windows 11** that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: 
 - Preview (first or canary): Planning and development 
 - Limited (fast or early adopters): Pilot and validation 
 - Broad (users or critical): Wide deployment 
@@ -87,9 +87,9 @@ Review deployment-related policies, taking into consideration your organization'
 
 #### Validate apps and infrastructure
 
-To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel).  
+To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt into the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel).  
 
-If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes:
+If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you can deploy directly from the Windows Insider Pre-release category using one of the following processes:
 
 - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. 
 - Use Azure Virtual Desktop and Azure Marketplace images. 
@@ -119,7 +119,7 @@ At a high level, the tasks involved are:
 
 ## User readiness
 
-Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff for Windows 11:
 
 - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
 - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.