Merge branch 'main' into American-Dipper-patch-15

2025-05-13 05:47:23 +00:00 · 2023-10-31 11:52:29 -07:00 · 2023-10-31 11:52:29 -07:00 · 7011a2800a
commit 7011a2800a
parent 853f812688 c2842d5954
60 changed files with 1115 additions and 588 deletions
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@ -13,20 +13,25 @@ ms.collection:
 # Configure federated sign-in for Windows devices
-Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
+Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via a web sign-in experience.
-This feature is called *federated sign-in*.\
+Signing in with a federated identity can be a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 ## Benefits of federated sign-in
-Federated sign-in enables students to sign-in in less time, and with less friction.
+A federated sign-in experience enables students to sign-in in less time, and with less friction.
 With fewer credentials to remember and a simplified sign-in process, students are more engaged and focused on learning.
 There are two Windows features that enable a federated sign-in experience:
 - *Federated sign-in*, which is designed for 1:1 student devices. For an optimal experience, you should not enable federated sign-in on shared devices
 - *Web sign-in*, which provides a similar experience to *Federated sign-in*, and can be used for shared devices
 > [!IMPORTANT]
-> Currently, this feature is designed for 1:1 devices. For an optimal experience, you should not enable federated sign-in on shared devices.
+> *Federated sign-in* and *Web sign-in* require different configurations, which are explained in this document.
 ## Prerequisites
-To implement federated sign-in, the following prerequisites must be met:
+To enable a federated sign-in experience, the following prerequisites must be met:
 1. A Microsoft Entra tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Microsoft Entra ID?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
    >[!NOTE]
@ -43,9 +48,9 @@ To implement federated sign-in, the following prerequisites must be met:
    For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
 1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
-1. Enable federated sign-in on the Windows devices
+1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
-To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
+To use Federated sign-in or Web sign-in, the devices must have Internet access. These features don't work without it, as the authentication is done over the Internet.
 > [!IMPORTANT]
 > WS-Fed is the only supported federated protocol to join a device to Microsoft Entra ID. If you have a SAML 2.0 IdP, it's recommended to complete the Microsoft Entra join process using one of the following methods:
@ -54,25 +59,25 @@ To use federated sign-in, the devices must have Internet access. This feature do
 [!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
-Federated sign-in for student assigned (1:1) devices is supported on the following Windows editions and versions:
+Federated sign-in is supported on the following Windows editions and versions:
 - Windows 11 SE, version 22H2 and later
 - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
-Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
+Web sign-in is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
-## Configure federated sign-in
+## Configure a federated sign-in experience
-You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
+You can configure a federated sign-in experience for student assigned (1:1) devices or student shared devices:
- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
+- When federated sign-in is configured for **student assigned (1:1) devices**, you use a Windows feature called *Federated sign-in*. The first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
+- When federated sign-in is configured for **student shared devices**, you use a Windows feature called *Web sign-in*. With Web sign-in there's no primary user, and the sign-in screen displays, by default, the last user who signed in to the device
 The configuration is different for each scenario, and is described in the following sections.
-### Configure federated sign-in for student assigned (1:1) devices
+### Configure Federated sign-in for student assigned (1:1) devices
-To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -98,7 +103,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-To configure federated sign-in using a provisioning package, use the following settings:
+To configure Federated sign-in using a provisioning package, use the following settings:
 | Setting |
 |--------|
@ -109,16 +114,16 @@ To configure federated sign-in using a provisioning package, use the following s
 :::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
-Apply the provisioning package to the single-user devices that require federated sign-in.
+Apply the provisioning package to the 1:1 devices that require Federated sign-in.
 > [!IMPORTANT]
 > There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
 ---
-### Configure federated sign-in for student shared devices
+### Configure Web sign-in for student shared devices
-To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
+Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -146,7 +151,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-To configure federated sign-in using a provisioning package, use the following settings:
+To configure web sign-in using a provisioning package, use the following settings:
 | Setting |
 |--------|
@ -156,7 +161,7 @@ To configure federated sign-in using a provisioning package, use the following s
 | <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
 | <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
-Apply the provisioning package to the shared devices that require federated sign-in.
+Apply the provisioning package to the shared devices that require web sign-in.
 > [!IMPORTANT]
 > There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
@ -172,7 +177,7 @@ As users enter their username, they're redirected to the identity provider sign-
 :::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
 > [!IMPORTANT]
-> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
+> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the Federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
 > The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Microsoft Entra tenant name is configured.
 ## Important considerations
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@ -15,148 +15,111 @@ metadata:
  author: paolomatarazzo
  ms.author: paoloma
  manager: aaroncz
-  ms.date: 07/28/2023
+  ms.date: 08/07/2023
 highlightedContent:
  items:
-  - title: Get started with Windows 11
+  - title: Get started with Windows 11 SE
    itemType: get-started
-    url: /windows/whats-new/windows-11-overview
+    url: windows-11-se-overview.md
  - title: Windows 11, version 22H2
    itemType: whats-new
    url: /windows/whats-new/whats-new-windows-11-version-22H2
  - title: Windows 11, version 22H2 group policy settings reference 
    itemType: download
    url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
  - title: Windows release health
    itemType: whats-new
    url: /windows/release-health
  - title: Windows commercial licensing
    itemType: overview
    url: /windows/whats-new/windows-licensing
  - title: Windows 365 documentation
    itemType: overview
    url: /windows-365
  - title: Explore all Windows trainings and learning paths for IT pros
    itemType: learn
    url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
-  - title: Enroll Windows client devices in Microsoft Intune
+  - title: Deploy applications to Windows 11 SE with Intune
    itemType: how-to-guide
-    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
+    url: /education/windows/tutorial-deploy-apps-winse
 productDirectory:
  title: Get started
  items:
-
+    - title: Learn how to deploy Windows
-    - title: Hardware security
+      imageSrc: /media/common/i_deploy.svg
      imageSrc: /media/common/i_usb.svg
      links:
-        - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
+        - url: /education/windows/tutorial-school-deployment/
-          text: Trusted Platform Module
+          text: "Tutorial: deploy and manage Windows devices in a school"
-        - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
+        - url: /education/windows/tutorial-school-deployment/enroll-autopilot
-          text: Microsoft Pluton
+          text: Enrollment in Intune with Windows Autopilot
-        - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
+        - url: use-set-up-school-pcs-app.md
-          text: Windows Defender System Guard
+          text: Deploy devices with Set up School PCs
-        - url: /windows-hardware/design/device-experiences/oem-vbs
+        - url: /windows/deployment
-          text: Virtualization-based security (VBS)
+          text: Learn more about Windows deployment >
-        - url: /windows-hardware/design/device-experiences/oem-highly-secure-11
+    - title: Learn how to secure Windows
-          text: Secured-core PC
+      imageSrc: /media/common/i_security-management.svg
        - url: /windows/security/hardware-security
          text: Learn more about hardware security >
    - title: OS security
      imageSrc: /media/common/i_threat-protection.svg
      links:
-        - url: /windows/security/operating-system-security
+        - url: federated-sign-in.md
-          text: Trusted boot
+          text: Configure federated sign-in for Windows devices
        - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
          text: Windows security settings
        - url: 	/windows/security/operating-system-security/data-protection/bitlocker/
          text: BitLocker
        - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
          text: Windows security baselines
        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
          text: MMicrosoft Defender SmartScreen
        - url: /windows/security/operating-system-security
          text: Learn more about OS security >
    - title: Identity protection
      imageSrc: /media/common/i_identity-protection.svg
      links:
        - url: /windows/security/identity-protection/hello-for-business
          text: Windows Hello for Business
        - url: /windows/security/identity-protection/credential-guard
          text: Credential Guard
        - url: /windows-server/identity/laps/laps-overview
          text: Windows LAPS (Local Administrator Password Solution)
        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
          text: Enhanced phishing protection with SmartScreen
        - url: /education/windows/federated-sign-in
          text: Federated sign-in (EDU)
        - url: /windows/security/identity-protection
          text: Learn more about identity protection >
    - title: Application security
      imageSrc: /media/common/i_queries.svg
      links:
        - url: /windows/security/application-security/application-control/windows-defender-application-control/
          text: Windows Defender Application Control (WDAC)
        - url: /windows/security/application-security/application-control/user-account-control
          text: User Account Control (UAC)
        - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
          text: Microsoft vulnerable driver blocklist
        - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
          text: Microsoft Defender Application Guard (MDAG)
        - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
          text: Windows Sandbox
        - url: /windows/security/application-security
          text: Learn more about application security >
    - title: Security foundations
      imageSrc: /media/common/i_build.svg
      links:
        - url: /windows/security/security-foundations/certification/fips-140-validation
          text: FIPS 140-2 validation
        - url: /windows/security/security-foundations/certification/windows-platform-common-criteria
          text: Common Criteria Certifications
        - url: /windows/security/security-foundations/msft-security-dev-lifecycle
          text: Microsoft Security Development Lifecycle (SDL)
        - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
          text: Microsoft Windows Insider Preview bounty program
        - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
          text: OneFuzz service
        - url: /windows/security/security-foundations
          text: Learn more about security foundations >
    - title: Cloud security
      imageSrc: /media/common/i_cloud-security.svg
      links:
        - url: /mem/intune/protect/security-baselines
          text: Security baselines with Intune
        - url: /windows/deployment/windows-autopatch
          text: Windows Autopatch
        - url: /windows/deployment/windows-autopilot
          text: Windows Autopilot
        - url: /universal-print
          text: Universal Print
-        - url: /windows/client-management/mdm/remotewipe-csp
+        - url: /windows/security
-          text: Remote wipe
+          text: Learn more about Windows security >
-        - url: /windows/security/cloud-security
+
-          text: Learn more about cloud security >
+    - title: Learn how to manage Windows devices
      imageSrc: /media/common/i_management.svg
      links:
        - url: tutorial-school-deployment/manage-overview.md
          text: Manage devices with Microsoft Intune
        - url: tutorial-school-deployment/manage-surface-devices.md
          text: Management functionalities for Surface devices
        - url: /education/windows/get-minecraft-for-education
          text: Get and deploy Minecraft Education
        - url: /windows/client-management
          text: Learn more about Windows management >
    - title: Learn how to configure Windows
      imageSrc: /media/common/i_config-tools.svg
      links:
        - url: /education/windows/tutorial-school-deployment/configure-devices-overview
          text: Configure settings and applications with Microsoft Intune
        - url: /windows/configuration/set-up-shared-or-guest-pc
          text: Set up a shared or guest Windows device
        - url: /education/windows/take-tests-in-windows
          text: Take tests and assessments in Windows
        - url: set-up-school-pcs-provisioning-package.md
          text: Provisioning package settings
        - url: https://www.youtube.com/watch?v=2ZLup_-PhkA
          text: "Video: Use the Set up School PCs App"
 additionalContent:
  sections:
-    - title: More Windows resources
+    - title: For developers # < 60 chars (optional)
-      items:
+      summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. # < 160 chars (optional)
    - items:
        # Card
        - title: UWP apps for education
          summary: Learn how to write universal apps for education.
          url: /windows/uwp/apps-for-education/
        # Card
        - title: Take a test API
          summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
          url: /windows/uwp/apps-for-education/take-a-test-api
-        - title: Windows Server
+        - title: Office dev center
-          links:
+          summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app.
-            - text: Windows Server documentation
+          url: https://developer.microsoft.com/office/
-              url: /windows-server
+
-            - text: What's new in Windows Server 2022?
+        - title: Data Streamer
-              url: /windows-server/get-started/whats-new-in-windows-server-2022
+          summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
-            - text: Windows Server blog
+          url: /microsoft-365/education/data-streamer
-              url: https://cloudblogs.microsoft.com/windowsserver/
+    - title: For partners # < 60 chars (optional)
      summary: Looking for resources available to Microsoft Education partners? Start here. # < 160 chars (optional)
    - items:
        - title: Microsoft Partner Network
          summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness.
          url: https://partner.microsoft.com/explore/education
        - title: Education Partner community Yammer group
          summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
          url: https://www.yammer.com/mepn/
        - title: Windows product site and blogs
          links:
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -19,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local
 - The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
 - The enterprise has configured a Mobile Device Management (MDM) service.
 - The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
+- Service connection point (SCP) configuration. For more information, see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
 - The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
 - The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
@ -36,7 +36,7 @@ The autoenrollment relies on the presence of an MDM service and the Microsoft En
 > [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
-When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multifactor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
 - Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
@ -52,20 +52,13 @@ To configure autoenrollment using a group policy, use the following steps:
 1. Link the GPO.
 1. Filter using Security Groups.
-If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
+If you don't see the policy, get the latest ADMX for your Windows version. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
 1. Download the administrative templates for the desired version:
-   - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
+   - [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667)
-   - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
+   - [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593)
-   - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
+   - [Windows 10, version 22H2](https://www.microsoft.com/download/details.aspx?id=104677)
   - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
   - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
   - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
   - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
   - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
   - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
   - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
 1. Install the package on the Domain Controller.
@ -96,9 +89,9 @@ This procedure is only for illustration purposes to show how the new autoenrollm
   >
   > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
-When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+When a group policy refresh occurs on the client, a task is created and scheduled to run every five minutes for one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
-If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
+If two-factor authentication is required, you're prompted to complete the process. Here's an example screenshot.
 :::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
@ -124,10 +117,10 @@ In **Task Scheduler Library**, open **Microsoft > Windows** , then select **Ente
 To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab.
-The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
+The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`), which can be caused by enabling the **Disable MDM Enrollment** policy.
 > [!NOTE]
-> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
+> The GPEdit console doesn't reflect the status of policies set by your organization on your device. It's only used by the user to set policies.
 ## Related articles
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -312,9 +312,9 @@ Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and Hybrid domain joined devices.
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices.
-When not configured, Rotation is turned on by default for Microsoft Entra-only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
 For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
@ -323,7 +323,7 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
 Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
-2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and Hybrid devices.
+2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
 <!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@ -4,7 +4,7 @@ description: Learn more about the ClientCertificateInstall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -165,7 +165,7 @@ Required for PFX certificate installation. A unique ID to differentiate differen
 Format is node.
-Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
 <!-- Device-PFXCertInstall-{UniqueID}-Description-End -->
 <!-- Device-PFXCertInstall-{UniqueID}-Editable-Begin -->
@ -385,7 +385,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro
 <!-- Description-Source-DDF -->
 Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
 <!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Description-End -->
 <!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Editable-Begin -->
@ -653,7 +653,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed.
 <!-- Description-Source-DDF -->
 Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Calling Delete on the this node, should delete the corresponding SCEP certificate.
+Calling Delete on this node, should delete the corresponding SCEP certificate.
 <!-- Device-SCEP-{UniqueID}-Description-End -->
 <!-- Device-SCEP-{UniqueID}-Editable-Begin -->
@ -813,7 +813,7 @@ Required for SCEP certificate enrollment. Parent node to group SCEP cert install
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Microsoft Entra ID Key present on the device. If no match is found, enrollment will fail.
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-End -->
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Editable-Begin -->
@ -1274,7 +1274,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for
 <!-- Device-SCEP-{UniqueID}-Install-RetryCount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
+Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
 The min value is 0 which means no retry.
 <!-- Device-SCEP-{UniqueID}-Install-RetryCount-Description-End -->
@ -1741,7 +1741,7 @@ Required for PFX certificate installation. A unique ID to differentiate differen
 Format is node.
-Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
 <!-- User-PFXCertInstall-{UniqueID}-Description-End -->
 <!-- User-PFXCertInstall-{UniqueID}-Editable-Begin -->
@ -1961,7 +1961,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro
 <!-- Description-Source-DDF -->
 Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
 <!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Description-End -->
 <!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Editable-Begin -->
@ -2227,7 +2227,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed.
 <!-- Description-Source-DDF -->
 Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Calling Delete on the this node, should delete the corresponding SCEP certificate.
+Calling Delete on this node, should delete the corresponding SCEP certificate.
 <!-- User-SCEP-{UniqueID}-Description-End -->
 <!-- User-SCEP-{UniqueID}-Editable-Begin -->
@ -2387,7 +2387,7 @@ Required for SCEP certificate enrollment. Parent node to group SCEP cert install
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Microsoft Entra ID Key present on the device. If no match is found, enrollment will fail.
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Description-End -->
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-Editable-Begin -->
@ -2848,7 +2848,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for
 <!-- User-SCEP-{UniqueID}-Install-RetryCount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
+Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
 The min value is 0 which means no retry.
 <!-- User-SCEP-{UniqueID}-Install-RetryCount-Description-End -->
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -26,16 +26,72 @@ ms.topic: reference
 The following list shows the CloudDesktop configuration service provider nodes:
 - ./Device/Vendor/MSFT/CloudDesktop
  - [BootToCloudPCEnhanced](#boottocloudpcenhanced)
  - [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
 <!-- CloudDesktop-Tree-End -->
 <!-- Device-BootToCloudPCEnhanced-Begin -->
 ## BootToCloudPCEnhanced
 <!-- Device-BootToCloudPCEnhanced-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-BootToCloudPCEnhanced-Applicability-End -->
 <!-- Device-BootToCloudPCEnhanced-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/CloudDesktop/BootToCloudPCEnhanced
 ```
 <!-- Device-BootToCloudPCEnhanced-OmaUri-End -->
 <!-- Device-BootToCloudPCEnhanced-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
 <!-- Device-BootToCloudPCEnhanced-Description-End -->
 <!-- Device-BootToCloudPCEnhanced-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!IMPORTANT]
 > If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
 <!-- Device-BootToCloudPCEnhanced-Editable-End -->
 <!-- Device-BootToCloudPCEnhanced-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- Device-BootToCloudPCEnhanced-DFProperties-End -->
 <!-- Device-BootToCloudPCEnhanced-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Not Configured. |
 | 1 | Enable Boot to Cloud Shared PC Mode. |
 | 2 | Enable Boot to Cloud Personal Mode (Cloud only). |
 <!-- Device-BootToCloudPCEnhanced-AllowedValues-End -->
 <!-- Device-BootToCloudPCEnhanced-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-BootToCloudPCEnhanced-Examples-End -->
 <!-- Device-BootToCloudPCEnhanced-End -->
 <!-- Device-EnableBootToCloudSharedPCMode-Begin -->
 ## EnableBootToCloudSharedPCMode
 > [!NOTE]
 > This policy is deprecated and may be removed in a future release.
 <!-- Device-EnableBootToCloudSharedPCMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-EnableBootToCloudSharedPCMode-Applicability-End -->
 <!-- Device-EnableBootToCloudSharedPCMode-OmaUri-Begin -->
@ -46,11 +102,13 @@ The following list shows the CloudDesktop configuration service provider nodes:
 <!-- Device-EnableBootToCloudSharedPCMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
+Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling Boot to Cloud Shared PC feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
 <!-- Device-EnableBootToCloudSharedPCMode-Description-End -->
 <!-- Device-EnableBootToCloudSharedPCMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!IMPORTANT]
 > If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
 <!-- Device-EnableBootToCloudSharedPCMode-Editable-End -->
 <!-- Device-EnableBootToCloudSharedPCMode-DFProperties-Begin -->
@ -80,66 +138,86 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
 <!-- CloudDesktop-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
-## EnableBootToCloudSharedPCMode technical reference
+## BootToCloudPCEnhanced technical reference
-EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
+BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or personal mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements.
 > [!NOTE]
-> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
+> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and personal mode.
-### MDM Policies
+### Boot to Cloud Shared PC Mode
-When this mode is enabled, these MDM policies are applied for the Device scope (all users):
+When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1:
-| Setting                                                                                                                    | Value   | Value Description                                           |
+- Following MDM policies are applied for the Device scope (all users):
 |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
 | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode)                                                 | 1       | Enable Boot to Cloud Desktop                                |
 | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram)                                       | 1       | Apply Lightweight Shell                                     |
 | [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider)     | Enabled | Configures default credential provider to password provider |
 | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2)                               | Enabled | Don't process the computer legacy run list                  |
 | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1       | When no keyboard is attached                                |
-### Group Policies
+    | Setting                                                                                                                    | Value   | Value Description                                           |
    |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
    | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode)                                                 | 1       | Enable Boot to Cloud Desktop                                |
    | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram)                                       | 1       | Apply Lightweight Shell                                     |
    | [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider)     | Enabled | Configures default credential provider to password provider |
    | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2)                               | Enabled | Don't process the computer legacy run list                  |
    | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1       | When no keyboard is attached                                |
-When this mode is enabled, these local group policies are configured for all users:
+- Following local group policies are configured for all users:
-| Policy setting                                                                                                         | Status                                |
+    | Policy setting                                                                                                         | Status                                |
-|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+    |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
-| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
+    | Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
-| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in                      | Enabled                               |
+    | Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in                      | Enabled                               |
-| Control Panel/Personalization/Prevent enabling lock screen slide show                                                  | Enabled                               |
+    | Control Panel/Personalization/Prevent enabling lock screen slide show                                                  | Enabled                               |
-| System/Logon/Block user from showing account details on sign-in                                                        | Enabled                               |
+    | System/Logon/Block user from showing account details on sign-in                                                        | Enabled                               |
-| System/Logon/Enumerate local users on domain-joined computers                                                          | Disabled                              |
+    | System/Logon/Enumerate local users on domain-joined computers                                                          | Disabled                              |
-| System/Logon/Hide entry points for Fast User Switching                                                                 | Enabled                               |
+    | System/Logon/Hide entry points for Fast User Switching                                                                 | Enabled                               |
-| System/Logon/Show first sign-in animation                                                                              | Disabled                              |
+    | System/Logon/Show first sign-in animation                                                                              | Disabled                              |
-| System/Logon/Turn off app notifications on the lock screen                                                             | Enabled                               |
+    | System/Logon/Turn off app notifications on the lock screen                                                             | Enabled                               |
-| System/Logon/Turn off picture password sign-in                                                                         | Enabled                               |
+    | System/Logon/Turn off picture password sign-in                                                                         | Enabled                               |
-| System/Logon/Turn on convenience PIN sign-in                                                                           | Disabled                              |
+    | System/Logon/Turn on convenience PIN sign-in                                                                           | Disabled                              |
-| Windows Components/App Package Deployment/Allow a Windows app to share application data between users                  | Enabled                               |
+    | Windows Components/App Package Deployment/Allow a Windows app to share application data between users                  | Enabled                               |
-| Windows Components/Biometrics/Allow the use of biometrics                                                              | Disabled                              |
+    | Windows Components/Biometrics/Allow the use of biometrics                                                              | Disabled                              |
-| Windows Components/Biometrics/Allow users to log on using biometrics                                                   | Disabled                              |
+    | Windows Components/Biometrics/Allow users to log on using biometrics                                                   | Disabled                              |
-| Windows Components/Biometrics/Allow domain users to log on using biometrics                                            | Disabled                              |
+    | Windows Components/Biometrics/Allow domain users to log on using biometrics                                            | Disabled                              |
-| Windows Components/File Explorer/Show lock in the user tile menu                                                       | Disabled                              |
+    | Windows Components/File Explorer/Show lock in the user tile menu                                                       | Disabled                              |
-| Windows Components/File History/Turn off File History                                                                  | Enabled                               |
+    | Windows Components/File History/Turn off File History                                                                  | Enabled                               |
-| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage                                             | Enabled                               |
+    | Windows Components/OneDrive/Prevent the usage of OneDrive for file storage                                             | Enabled                               |
-| Windows Components/Windows Hello for Business/Use biometrics                                                           | Disabled                              |
+    | Windows Components/Windows Hello for Business/Use biometrics                                                           | Disabled                              |
-| Windows Components/Windows Hello for Business/Use Windows Hello for Business                                           | Disabled                              |
+    | Windows Components/Windows Hello for Business/Use Windows Hello for Business                                           | Disabled                              |
-| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart          | Disabled                              |
+    | Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart          | Disabled                              |
-| Windows Components/Microsoft Passport for Work                                                                         | Disabled                              |
+    | Windows Components/Microsoft Passport for Work                                                                         | Disabled                              |
-| System/Ctrl+Alt+Del Options/Remove Task Manager                                                                        | Enabled                               |
+    | System/Ctrl+Alt+Del Options/Remove Task Manager                                                                        | Enabled                               |
-| System/Ctrl+Alt+Del Options/Remove Change Password                                                                     | Enabled                               |
+    | System/Ctrl+Alt+Del Options/Remove Change Password                                                                     | Enabled                               |
-| Start Menu and Taskbar/Notifications/Turn off toast notifications                                                      | Enabled                               |
+    | Start Menu and Taskbar/Notifications/Turn off toast notifications                                                      | Enabled                               |
-| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center                                            | Enabled                               |
+    | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center                                            | Enabled                               |
-| System/Logon/Do not process the legacy run list                                                                        | Enabled                               |
+    | System/Logon/Do not process the legacy run list                                                                        | Enabled                               |
-### Registry
+- Following registry changes are performed:
-When this mode is enabled, these registry changes are performed:
+    | Registry setting                                                                             | Status |
    |----------------------------------------------------------------------------------------------|--------|
    | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0      |
    | Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work)        | 0      |
-| Registry setting                                                                             | Status |
+### Boot to Cloud Personal Mode
-|----------------------------------------------------------------------------------------------|--------|
+
-| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0      |
+When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2:
-| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work)        | 0      |
+
 - Following MDM policies are applied for the Device scope (all users):
    | Setting                                                                                                                    | Value   | Value Description                                           |
    |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
    | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode)                                                 | 1       | Enable Boot to Cloud Desktop                                |
    | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram)                                       | 1       | Apply Lightweight Shell                                     |
    | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2)                               | Enabled | Don't process the computer legacy run list                  |
    | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1       | When no keyboard is attached                                |
 - Following local group policies are configured for all users:
    | Policy setting                                                                                                         | Status                                |
    |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
    | System/Ctrl+Alt+Del Options/Remove Change Password                                                                     | Enabled                               |
    | Start Menu and Taskbar/Notifications/Turn off toast notifications                                                      | Enabled                               |
    | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center                                            | Enabled                               |
    | System/Logon/Do not process the legacy run list                                                                        | Enabled                               |
 <!-- CloudDesktop-CspMoreInfo-End -->
 <!-- CloudDesktop-End -->
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -45,11 +45,55 @@ The following XML file contains the device description framework (DDF) for the C
        <MIME />
      </DFType>
      <MSFT:Applicability>
-        <MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
+        <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
-        <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        <MSFT:CspVersion>9.9</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
      </MSFT:Applicability>
    </DFProperties>
    <Node>
      <NodeName>BootToCloudPCEnhanced</NodeName>
      <DFProperties>
        <AccessType>
          <Add />
          <Delete />
          <Get />
          <Replace />
        </AccessType>
        <DefaultValue>0</DefaultValue>
        <Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description>
        <DFFormat>
          <int />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFTitle>Boot to Cloud PC Enhanced</DFTitle>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
          <MSFT:CspVersion>9.9</MSFT:CspVersion>
        </MSFT:Applicability>
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>0</MSFT:Value>
            <MSFT:ValueDescription>Not Configured</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>1</MSFT:Value>
            <MSFT:ValueDescription>Enable Boot to Cloud Shared PC Mode</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>2</MSFT:Value>
            <MSFT:ValueDescription>Enable Boot to Cloud Personal Mode (Cloud only)</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>EnableBootToCloudSharedPCMode</NodeName>
      <DFProperties>
@ -74,6 +118,9 @@ The following XML file contains the device description framework (DDF) for the C
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>88.8.88888</MSFT:OsBuildVersion>
        </MSFT:Applicability>
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>false</MSFT:Value>
@ -84,6 +131,7 @@ The following XML file contains the device description framework (DDF) for the C
            <MSFT:ValueDescription>Boot to cloud shared pc mode enabled</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
        <MSFT:Deprecated />
      </DFProperties>
    </Node>
  </Node>
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -351,7 +351,7 @@ For more information about Microsoft Entra enrollment, see [Microsoft Entra inte
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-For Microsoft Entra backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
+For Microsoft Entra ID backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-End -->
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Editable-Begin -->
@ -1209,7 +1209,7 @@ The node contains the secondary certificate - the public key to use.
 <!-- Device-Provider-{ProviderID}-EnhancedAppLayerSecurity-SecurityMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign-only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
 <!-- Device-Provider-{ProviderID}-EnhancedAppLayerSecurity-SecurityMode-Description-End -->
 <!-- Device-Provider-{ProviderID}-EnhancedAppLayerSecurity-SecurityMode-Editable-Begin -->
@ -1568,7 +1568,7 @@ This node decides whether or not the MDM progress page displays the Collect Logs
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-BlockInStatusPage-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+Device Only. This node determines whether or not the MDM progress page is blocking in the Microsoft Entra joined or DJ++ case, as well as which remediation options are available.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-BlockInStatusPage-Description-End -->
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-BlockInStatusPage-Editable-Begin -->
@ -1994,7 +1994,7 @@ This node is set by the server to inform the UX that the server has finished pro
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+Device only. This node decides whether or not the MDM device progress page skips after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Description-End -->
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Editable-Begin -->
@ -2043,7 +2043,7 @@ Device only. This node decides whether or not the MDM device progress page skips
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login.
+Device only. This node decides whether or not the MDM user progress page skips after Microsoft Entra joined or DJ++ after user login.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Description-End -->
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Editable-Begin -->
@ -2206,7 +2206,7 @@ Force device to send device Microsoft Entra token during check-in as a separate
 | 0 | ForceAadTokenNotDefined: the value isn't defined(default). |
 | 1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
 | 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
-| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra Device token for auth as Bearer token. |
+| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra device token for auth as Bearer token. |
 | 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
 <!-- Device-Provider-{ProviderID}-ForceAadToken-AllowedValues-End -->
@ -2428,7 +2428,7 @@ The interior node for linked enrollment.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Description-Begin -->
 <!-- Description-Source-DDF -->
-Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an rmpty string with S_OK.
+Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an empty string with S_OK.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Description-End -->
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Editable-Begin -->
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@ -1,11 +1,11 @@
 ### YamlMime:Landing
 title: Configuration Service Provider # < 60 chars
-summary: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # < 160 chars
+summary: Learn more about the configuration service provider (CSP) policies available on Windows devices. # < 160 chars
 metadata:
  title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
+  description: Learn more about the configuration service provider (CSP) policies available on Windows devices. # Required; article description that is displayed in search results. < 160 chars.
  ms.topic: landing-page
  ms.technology: itpro-manage
  ms.prod: windows-client
@ -15,7 +15,7 @@ metadata:
  author: vinaypamnani-msft
  ms.author: vinpa
  manager: aaroncz
-  ms.date: 08/04/2022
+  ms.date: 10/25/2023
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -35,8 +35,8 @@ landingContent:
            url: configuration-service-provider-ddf.md
          - text: BitLocker CSP
            url: bitlocker-csp.md
-          - text: DynamicManagement CSP
+          - text: Declared Configuration protocol
-            url: dynamicmanagement-csp.md
+            url: ../declared-configuration.md
  # Card (optional)
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -449,7 +449,7 @@ Use this setting to configure which directory the local admin account password i
 The allowable settings are:
 0=Disabled (password won't be backed up)
-1=Backup the password to Microsoft Entra-only
+1=Backup the password to Microsoft Entra ID only
 2=Backup the password to Active Directory only.
 If not specified, this setting will default to 0.
@ -475,7 +475,7 @@ If not specified, this setting will default to 0.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled (password won't be backed up). |
-| 1 | Backup the password to Microsoft Entra-only. |
+| 1 | Backup the password to Microsoft Entra ID only. |
 | 2 | Backup the password to Active Directory only. |
 <!-- Device-Policies-BackupDirectory-AllowedValues-End -->
@ -745,7 +745,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
 | Value | Description |
 |:--|:--|
 | 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
-| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
 | 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
 <!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@ -4,7 +4,7 @@ description: Learn more about the Personalization CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/26/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -16,24 +16,147 @@ ms.topic: reference
 <!-- Personalization-Begin -->
 # Personalization CSP
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- Personalization-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
+The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
 > [!IMPORTANT]
-> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
+> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#boottocloudpcenhanced).
 <!-- Personalization-Editable-End -->
 <!-- Personalization-Tree-Begin -->
 The following list shows the Personalization configuration service provider nodes:
 - ./Vendor/MSFT/Personalization
  - [CompanyLogoStatus](#companylogostatus)
  - [CompanyLogoUrl](#companylogourl)
  - [CompanyName](#companyname)
  - [DesktopImageStatus](#desktopimagestatus)
  - [DesktopImageUrl](#desktopimageurl)
  - [LockScreenImageStatus](#lockscreenimagestatus)
  - [LockScreenImageUrl](#lockscreenimageurl)
 <!-- Personalization-Tree-End -->
 <!-- Device-CompanyLogoStatus-Begin -->
 ## CompanyLogoStatus
 <!-- Device-CompanyLogoStatus-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-CompanyLogoStatus-Applicability-End -->
 <!-- Device-CompanyLogoStatus-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/Personalization/CompanyLogoStatus
 ```
 <!-- Device-CompanyLogoStatus-OmaUri-End -->
 <!-- Device-CompanyLogoStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
 This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
 <!-- Device-CompanyLogoStatus-Description-End -->
 <!-- Device-CompanyLogoStatus-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-CompanyLogoStatus-Editable-End -->
 <!-- Device-CompanyLogoStatus-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Get |
 <!-- Device-CompanyLogoStatus-DFProperties-End -->
 <!-- Device-CompanyLogoStatus-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-CompanyLogoStatus-Examples-End -->
 <!-- Device-CompanyLogoStatus-End -->
 <!-- Device-CompanyLogoUrl-Begin -->
 ## CompanyLogoUrl
 <!-- Device-CompanyLogoUrl-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-CompanyLogoUrl-Applicability-End -->
 <!-- Device-CompanyLogoUrl-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/Personalization/CompanyLogoUrl
 ```
 <!-- Device-CompanyLogoUrl-OmaUri-End -->
 <!-- Device-CompanyLogoUrl-Description-Begin -->
 <!-- Description-Source-DDF -->
 An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
 <!-- Device-CompanyLogoUrl-Description-End -->
 <!-- Device-CompanyLogoUrl-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-CompanyLogoUrl-Editable-End -->
 <!-- Device-CompanyLogoUrl-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- Device-CompanyLogoUrl-DFProperties-End -->
 <!-- Device-CompanyLogoUrl-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-CompanyLogoUrl-Examples-End -->
 <!-- Device-CompanyLogoUrl-End -->
 <!-- Device-CompanyName-Begin -->
 ## CompanyName
 <!-- Device-CompanyName-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-CompanyName-Applicability-End -->
 <!-- Device-CompanyName-OmaUri-Begin -->
 ```Device
 ./Vendor/MSFT/Personalization/CompanyName
 ```
 <!-- Device-CompanyName-OmaUri-End -->
 <!-- Device-CompanyName-Description-Begin -->
 <!-- Description-Source-DDF -->
 The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
 <!-- Device-CompanyName-Description-End -->
 <!-- Device-CompanyName-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-CompanyName-Editable-End -->
 <!-- Device-CompanyName-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Regular Expression: `^.{1,30}$` |
 <!-- Device-CompanyName-DFProperties-End -->
 <!-- Device-CompanyName-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-CompanyName-Examples-End -->
 <!-- Device-CompanyName-End -->
 <!-- Device-DesktopImageStatus-Begin -->
 ## DesktopImageStatus
@ -90,7 +213,7 @@ This represents the status of the DesktopImage. 1 - Successfully downloaded or c
 <!-- Device-DesktopImageUrl-Description-Begin -->
 <!-- Description-Source-DDF -->
-A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
 <!-- Device-DesktopImageUrl-Description-End -->
 <!-- Device-DesktopImageUrl-Editable-Begin -->
@ -168,7 +291,7 @@ This represents the status of the LockScreenImage. 1 - Successfully downloaded o
 <!-- Device-LockScreenImageUrl-Description-Begin -->
 <!-- Description-Source-DDF -->
-A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
 <!-- Device-LockScreenImageUrl-Description-End -->
 <!-- Device-LockScreenImageUrl-Editable-Begin -->
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the P
      <MSFT:Applicability>
        <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
        <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
      </MSFT:Applicability>
    </DFProperties>
    <Node>
@ -146,6 +146,92 @@ The following XML file contains the device description framework (DDF) for the P
        </DFType>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>CompanyLogoUrl</NodeName>
      <DFProperties>
        <AccessType>
          <Add />
          <Delete />
          <Get />
          <Replace />
        </AccessType>
        <Description>A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.</Description>
        <DFFormat>
          <chr />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
          <MSFT:CspVersion>2.0</MSFT:CspVersion>
        </MSFT:Applicability>
        <MSFT:AllowedValues ValueType="None">
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>CompanyLogoStatus</NodeName>
      <DFProperties>
        <AccessType>
          <Get />
        </AccessType>
        <Description>This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.</Description>
        <DFFormat>
          <int />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
          <MSFT:CspVersion>2.0</MSFT:CspVersion>
        </MSFT:Applicability>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>CompanyName</NodeName>
      <DFProperties>
        <AccessType>
          <Add />
          <Delete />
          <Get />
          <Replace />
        </AccessType>
        <Description>The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.</Description>
        <DFFormat>
          <chr />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
          <MSFT:CspVersion>2.0</MSFT:CspVersion>
        </MSFT:Applicability>
        <MSFT:AllowedValues ValueType="RegEx">
          <MSFT:Value>^.{1,30}$</MSFT:Value>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
  </Node>
 </MgmtTree>
 ```
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1755,7 +1755,7 @@ This policy setting is triggered by the configured round trip network latency va
 - If you enable this policy setting, transparent caching is enabled and configurable.
- If you disable or don't configure this policy setting, remote files will be not be transparently cached on client computers.
+- If you disable or don't configure this policy setting, remote files won't be transparently cached on client computers.
 <!-- Pol_OnlineCachingSettings-Description-End -->
 <!-- Pol_OnlineCachingSettings-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_Power Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -102,7 +102,7 @@ This policy setting allows you to control the network connectivity state in stan
 <!-- Description-Source-ADMX -->
 This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+- If you enable this policy setting, an application or service may prevent the system from sleeping (hybrid Sleep, Stand By, or Hibernate).
 - If you disable or don't configure this policy setting, users control this setting.
 <!-- ACCriticalSleepTransitionsDisable_2-Description-End -->
@ -885,7 +885,7 @@ This policy setting allows you to control the network connectivity state in stan
 <!-- Description-Source-ADMX -->
 This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+- If you enable this policy setting, an application or service may prevent the system from sleeping (hybrid Sleep, Stand By, or Hibernate).
 - If you disable or don't configure this policy setting, users control this setting.
 <!-- DCCriticalSleepTransitionsDisable_2-Description-End -->
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -2459,7 +2459,7 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
 - If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level.
 > [!NOTE]
-> AAD Per User mode is deprecated on Windows 11 and above.
+> Microsoft Entra ID Per User mode is deprecated on Windows 11 and above.
 <!-- TS_LICENSING_MODE-Description-End -->
 <!-- TS_LICENSING_MODE-Editable-Begin -->
@ -2515,7 +2515,7 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
 <!-- Description-Source-ADMX -->
 Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server.
-You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions.
+You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, additional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions.
 To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999.
@ -4070,7 +4070,7 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
 <!-- TS_SERVER_PROFILE-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth.
+This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available network bandwidth.
 - If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@ -4,7 +4,7 @@ description: Learn more about the AppVirtualization Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -149,7 +149,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
 <!-- AllowPackageCleanup-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
+Enables automatic cleanup of appv packages that were added after Windows 10 anniversary release.
 <!-- AllowPackageCleanup-Description-End -->
 <!-- AllowPackageCleanup-Editable-Begin -->
@ -1443,7 +1443,7 @@ Specifies the number of times to retry a dropped session.
 <!-- StreamingSharedContentStoreMode-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies that streamed package contents will be not be saved to the local hard disk.
+Specifies that streamed package contents won't be saved to the local hard disk.
 <!-- StreamingSharedContentStoreMode-Description-End -->
 <!-- StreamingSharedContentStoreMode-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -4,7 +4,7 @@ description: Learn more about the Authentication Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -90,7 +90,7 @@ This policy allows the Microsoft Entra tenant administrator to enable the self-s
 <!-- AllowEAPCertSSO-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+Allows an EAP cert-based authentication for a single sign-on (SSO) to access internal resources.
 <!-- AllowEAPCertSSO-Description-End -->
 <!-- AllowEAPCertSSO-Editable-Begin -->
@ -188,7 +188,7 @@ Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restrict
 <!-- AllowSecondaryAuthenticationDevice-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
+This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign-on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
 - If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.
@ -413,7 +413,7 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
 <!-- EnablePasswordlessExperience-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether connected users on AADJ devices receive a Passwordless experience on Windows.
+Specifies whether connected users on Microsoft Entra joined devices receive a Passwordless experience on Windows.
 <!-- EnablePasswordlessExperience-Description-End -->
 <!-- EnablePasswordlessExperience-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1074,7 +1074,6 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
 - If you enable this setting, CPU utilization won't exceed the percentage specified.
 - If you disable or don't configure this setting, CPU utilization won't exceed the default value.
 <!-- AvgCPULoadFactor-Description-End -->
 <!-- AvgCPULoadFactor-Editable-Begin -->
@ -1085,7 +1084,6 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
 > 
 > - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
 > - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
 <!-- AvgCPULoadFactor-Editable-End -->
 <!-- AvgCPULoadFactor-DFProperties-Begin -->
@ -2920,4 +2918,3 @@ Valid remediation action values are:
 ## Related articles
 [Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@ -4,7 +4,7 @@ description: Learn more about the FederatedAuthentication Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -63,7 +63,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 |:--|:--|
 | 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
 | 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
-| 2 | Disabled. Web Sign-in Credential Provider isn't be enabled for device sign-in. |
+| 2 | Disabled. Web Sign-in Credential Provider won't be enabled for device sign-in. |
 <!-- EnableWebSignInForPrimaryUser-AllowedValues-End -->
 <!-- EnableWebSignInForPrimaryUser-Examples-Begin -->
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -134,7 +134,7 @@ This policy setting allows retrieving the Microsoft Entra Kerberos Ticket Granti
 | Name | Value |
 |:--|:--|
 | Name | CloudKerberosTicketRetrievalEnabled |
-| Friendly Name | Allow retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon |
+| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon |
 | Location | Computer Configuration |
 | Path | System > Kerberos |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@ -4,7 +4,7 @@ description: Learn more about the Power Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -450,7 +450,7 @@ This policy setting allows you to specify the period of inactivity before Window
 - If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- HibernateTimeoutOnBattery-Description-End -->
 <!-- HibernateTimeoutOnBattery-Editable-Begin -->
@ -510,7 +510,7 @@ This policy setting allows you to specify the period of inactivity before Window
 - If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- HibernateTimeoutPluggedIn-Description-End -->
 <!-- HibernateTimeoutPluggedIn-Editable-Begin -->
@ -1144,7 +1144,7 @@ This policy setting allows you to specify the period of inactivity before Window
 - If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- StandbyTimeoutOnBattery-Description-End -->
 <!-- StandbyTimeoutOnBattery-Editable-Begin -->
@ -1204,7 +1204,7 @@ This policy setting allows you to specify the period of inactivity before Window
 - If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- StandbyTimeoutPluggedIn-Description-End -->
 <!-- StandbyTimeoutPluggedIn-Editable-Begin -->
@ -1258,7 +1258,7 @@ If the user has configured a slide show to run on the lock screen when the machi
 <!-- TurnOffHybridSleepOnBattery-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off Hybrid Sleep.
 - If you enable this policy setting, a hiberfile isn't generated when the system transitions to sleep (Stand By).
@ -1285,7 +1285,7 @@ This policy setting allows you to turn off hybrid sleep.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | . |
-| 1 | Hybrid sleep. |
+| 1 | Hybrid Sleep. |
 <!-- TurnOffHybridSleepOnBattery-AllowedValues-End -->
 <!-- TurnOffHybridSleepOnBattery-GpMapping-Begin -->
@ -1325,7 +1325,7 @@ This policy setting allows you to turn off hybrid sleep.
 <!-- TurnOffHybridSleepPluggedIn-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off Hybrid Sleep.
 - If you enable this policy setting, a hiberfile isn't generated when the system transitions to sleep (Stand By).
@ -1352,7 +1352,7 @@ This policy setting allows you to turn off hybrid sleep.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | . |
-| 1 | Hybrid sleep. |
+| 1 | Hybrid Sleep. |
 <!-- TurnOffHybridSleepPluggedIn-AllowedValues-End -->
 <!-- TurnOffHybridSleepPluggedIn-GpMapping-Begin -->
@ -1398,7 +1398,7 @@ This policy setting allows you to specify the period of inactivity before Window
 - If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- UnattendedSleepTimeoutOnBattery-Description-End -->
 <!-- UnattendedSleepTimeoutOnBattery-Editable-Begin -->
@ -1459,7 +1459,7 @@ This policy setting allows you to specify the period of inactivity before Window
 - If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 <!-- UnattendedSleepTimeoutPluggedIn-Description-End -->
 <!-- UnattendedSleepTimeoutPluggedIn-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -102,7 +102,7 @@ Allow search and Cortana to search cloud sources like OneDrive and SharePoint.
 <!-- AllowCortanaInAAD-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Allow the cortana opt-in page during windows setup out of the box experience.
+Allow the Cortana opt-in page during windows setup out of the box experience.
 <!-- AllowCortanaInAAD-Description-End -->
 <!-- AllowCortanaInAAD-Editable-Begin -->
@ -124,8 +124,8 @@ Allow the cortana opt-in page during windows setup out of the box experience.
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Not allowed. The Cortana consent page won't appear in AAD OOBE during setup. |
+| 0 (Default) | Not allowed. The Cortana consent page won't appear in Microsoft Entra ID OOBE during setup. |
-| 1 | Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. |
+| 1 | Allowed. The Cortana consent page will appear in Azure Microsoft Entra ID OOBE during setup. |
 <!-- AllowCortanaInAAD-AllowedValues-End -->
 <!-- AllowCortanaInAAD-GpMapping-Begin -->
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 10/24/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -104,20 +104,20 @@ After enabling this policy, you can configure its settings through the ConfigAut
 <!-- ConfigAutomaticRestartSignOn-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign on won't occur and this policy doesn't need to be configured.
+This policy setting controls the configuration under which an automatic restart and sign-on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign-on won't occur and this policy doesn't need to be configured.
 - If you enable this policy setting, you can choose one of the following two options:
-1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
+1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign-on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
 BitLocker is suspended during updates if:
 - The device doesn't have TPM 2.0 and PCR7, or
 - The device doesn't use a TPM-only protector.
-2. "Always Enabled" specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
+2. "Always Enabled" specifies that automatic sign-on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign-on should only be run under this condition if you are confident that the configured device is in a secure physical location.
- If you disable or don't configure this setting, automatic sign on will default to the "Enabled if BitLocker is on and not suspended" behavior.
+- If you disable or don't configure this setting, automatic sign-on will default to the "Enabled if BitLocker is on and not suspended" behavior.
 <!-- ConfigAutomaticRestartSignOn-Description-End -->
 <!-- ConfigAutomaticRestartSignOn-Editable-Begin -->
@ -574,7 +574,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
 <!-- OverrideShellProgram-Description-Begin -->
 <!-- Description-Source-DDF -->
-OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features, which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application that would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
+OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
 <!-- OverrideShellProgram-Description-End -->
 <!-- OverrideShellProgram-Editable-Begin -->
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@ -4,7 +4,7 @@ description: Learn more about the SecureAssessment CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -327,7 +327,7 @@ Indicates if printing is required by the app.
 <!-- Device-TesterAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-The user name of the test taking account. To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username.
+The user name of the test taking account. To specify a domain account, use domain\user. To specify a Microsoft Entra account, use username@tenant.com. To specify a local account, use the username.
 <!-- Device-TesterAccount-Description-End -->
 <!-- Device-TesterAccount-Editable-Begin -->
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@ -56,9 +56,9 @@ This walkthrough describes how to customize a Windows PE boot image including up
    For this walk-through, when the Windows ADK is installed, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**.
-    One of the tools installed when installing the the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
+    One of the tools installed when installing the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
-    The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly.
+    The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed in a different location, then adjust the paths during the walk-through accordingly.
 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both.
@ -70,13 +70,13 @@ This walkthrough describes how to customize a Windows PE boot image including up
 >
 > - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT.
 >
-> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
+> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes a 64-bit boot image. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
 ## Step 2: Download cumulative update (CU)
 1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated.
-1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four digit current year, `<month>` is the two digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month.
+1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four-digit current year, `<month>` is the two-digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month.
 1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update.
@ -249,7 +249,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
 > [!TIP]
 >
-> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
+> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provides basic functionality while in WinPE. In most cases, no drivers need to be added to an out-of-box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
 > [!IMPORTANT]
 >
@ -304,9 +304,9 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
    ---
-1. After adding an optional component to the boot image, make sure to also add the language specific component for that optional component.
+1. After adding an optional component to the boot image, make sure to also add the language-specific component for that optional component.
-    Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed.
+    Not all optional components have the language-specific component. However, for optional components that do have a language-specific component, make sure that the language-specific component is installed.
    To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Language>\` directory to see if there's a matching language component for that optional component.
@ -507,7 +507,7 @@ DISM Package Manager: PID=<PID> TID=<TID> Failed while processing command add-pa
 ---
-The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
+The problem occurs when the WinPE boot image that is being serviced requires the installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
 For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU).
@ -515,7 +515,7 @@ The following steps outline how to extract and then install the servicing stack
 > [!IMPORTANT]
 >
-> These steps are only necessary if error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
+> These steps are only necessary if the error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
 1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`:
@ -627,7 +627,7 @@ For more information, see [Copy-Item](/powershell/module/microsoft.powershell.ma
 ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line)
-From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files:
+From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files it finds. When applicable, the commands need confirmation to overwrite any existing files:
 ```cmd
 copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"
@ -934,15 +934,15 @@ This process has the following advantages:
 1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image.
-1. It reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image.
+1. It reduces the size of the boot image which can occur when components are repeatedly added to and removed from the boot image.
 Configuration Manager updates the `boot.wim` boot image in two scenarios:
-1. When Configuration Manager is upgraded between version or a hotfix roll ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process.
+1. When Configuration Manager is upgraded between versions or a hotfix roll-up (HFRU) is applied, `boot.wim` may be updated as part of the upgrade process.
 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**.
-In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
+In these scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
 ### Which boot image should be updated with the cumulative update?
@ -954,7 +954,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo
 >
 > Never manually update the `boot.<package_id>.wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image,  the `boot.<package_id>.wim` boot image will also face additional issues such as:
 >
-> - Any time any changes are done to the boot image, such as adding drivers, enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost.
+> - Any time any changes are done to the boot image (adding drivers, enabling the command prompt, etc.), any manual changes done to the boot image, including the cumulative update, will be lost.
 >
 > - Manually changing the `boot.<package_id>.wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point.
@ -993,9 +993,9 @@ For a list of all available WinPE optional components including descriptions for
 After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps:
-1. Open the Microsoft Configuration manager console.
+1. Open the Microsoft Configuration Manager console.
-1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
+1. In the Microsoft Configuration Manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
 1. In the **Boot Images** pane, select the desired boot image.
@ -1011,11 +1011,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new `
    1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button.
-This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points.
+This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE-enabled distribution points.
 > [!IMPORTANT]
 >
-> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
+> If there are multiple boot images used in the environment for PXE-enabled distribution points, make sure to update all of the PXE-enabled boot images with the same cumulative update. This will ensure that the PXE-enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
 ### Updating Configuration Manager boot media
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@ -18,9 +18,9 @@ ms.date: 12/31/2017
 # Create a deployment plan
-A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
+A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. Once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows clients are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
 At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
@ -43,10 +43,10 @@ There are no definite rules for exactly how many rings to have for your deployme
 ## Advancing between rings
-There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
+There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project-based.
- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
+- "Red button" (service-based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
+- "Green button" (project-based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
 When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal. 
@ -60,9 +60,9 @@ The purpose of the Preview ring is to evaluate the new features of the update. I
 ### Who goes in the Preview ring?
-The Preview ring users are the most tech savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
+The Preview ring users are the most tech-savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
-During your plan and prepare phases, you should focus on the following activities:
+During your plan and preparation phases, you should focus on the following activities:
 - Work with Windows Insider Preview builds.
 - Identify the features and functionality your organization can or wants to use.
@ -87,7 +87,7 @@ Analytics can help with defining a good Limited ring of representative devices a
 The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
-During your pilot and validate phases, you should focus on the following activities:
+During your pilot and validation phases, you should focus on the following activities:
 - Deploy new innovations.
 - Assess and act if issues are encountered.
@ -104,7 +104,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period,
 In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision), a broad deployment can occur relatively quickly.
 > [!NOTE]
-> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices.
+> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission-critical devices.
 During the broad deployment phase, you should focus on the following activities:
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@ -11,22 +11,22 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 12/31/2017
+ms.date: 10/31/2023
 ---
 # Evaluate infrastructure and tools
-Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
+Before you deploy an update, assess your deployment infrastructure. For example, management systems like Configuration Manager, Microsoft Intune, or similar. Also assess current configurations such as security baselines, administrative templates, and policies that affect updates. Then set some criteria to define your operational readiness.
 ## Infrastructure
 Do your deployment tools need updates?
- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the current branch with the latest release installed? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
 - Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
 - If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
-Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
+Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered.
 ## Device settings
@ -36,35 +36,35 @@ Make sure your security baseline, administrative templates, and policies have th
 Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. 
+- **Microsoft security baselines**: You should implement security baselines from Microsoft. They're included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
+- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you're about to deploy.
 ### Configuration updates
-There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
+There are several Windows policies that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. For example, policies set by group policy, Intune, or other methods. Check these policies to make sure they're set appropriately.
- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
+- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667).
 - **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. 
 - **Policies for update compliance and end-user experience**: Several settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
 ## Define operational readiness criteria
-When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
+When you deploy an update, you need to make sure the update isn't introducing new operational issues. If incidents arise, make sure the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
 - **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
 - **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
 - **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
+- **Process changes:** Define and update any processes that will change as a result of the Windows feature update.
-Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight. 
+Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
 ## Tasks
 Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks:
- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined.
+- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they've all been defined.
- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update.
+- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that you identified for the update.
 - **Define infrastructure update plan**: Detail how your infrastructure must change to support the update.
- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed.
+- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when you deploy it.
- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
+- **Identify gaps that require attention**: Identify issues that you'll need to address to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
 - **Define operational update plan**: Detail how your operational services and processes must change to support the update.
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 12/31/2017
+ms.date: 10/10/2023
 ---
 # Manage device restarts after updates
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@ -11,7 +11,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 02/28/2023
+ms.date: 10/10/2023
 ---
 # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@ -39,7 +39,7 @@ You can control when updates are applied, for example by deferring when an updat
 Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
 Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
@ -136,7 +136,8 @@ We recommend that you use set specific deadlines for feature and quality updates
 - [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
 - [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) 
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
 - [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
 - [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
 These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@ -17,7 +17,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.date: 08/22/2023
+ms.date: 10/10/2023
 ---
 # Walkthrough: Use Group Policy to configure Windows Update for Business
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@ -12,36 +12,60 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 05/12/2023
+ms.date: 10/10/2023
 ---
 # Enforcing compliance deadlines for updates
 Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
-With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as separate settings:
- Update/ConfigureDeadlineForFeatureUpdates
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
- Update/ConfigureDeadlineForQualityUpdates
+- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
- Update/ConfigureDeadlineGracePeriod
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
- Update/ConfigureDeadlineNoAutoReboot
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates) (Windows 11, version 22H2 or later)
 - [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-## Policy setting overview
+
 ## Policy setting overview for clients running Windows 11, version 22H2 and later
 |Policy| Description |
 |-|-|
 | Specify deadlines for automatic updates and restarts | This policy lets you specify the number of days before quality and feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
 ### Suggested configurations for clients running Windows 11, version 22H2 and later
 | Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
 |-|-|-|-|-|-|
 | Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
 When **Specify deadlines for automatic updates and restarts** is set:
 The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.
 The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.
 > [!NOTE]
 > When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
 ## Policy setting overview for clients running Windows 11, version 21H2 and earlier
 |Policy|Description |
 |-|-|
 | (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
-## Suggested configurations
+### Suggested configurations for clients running Windows 11, version 21H2 and earlier
 |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
 |-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts    | 2 | 2 | 5 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts  | 2 | 7 | 2 |
 When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
-For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
+For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device tries to update outside of active hours. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
-For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
+For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device tries to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in the background). When the pending restart time is reached, the device notifies the user and tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours.
 > [!NOTE]
-> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+> - When using the newer policy that contains **Feature updates grace period in days**, this setting is ignored by clients that are running Windows 11 version 21H2 and earlier. The grace period for quality updates is used for both quality updates and feature updates for these clients.
 > - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@ -1,7 +1,7 @@
 ---
 title: Microsoft 365 Apps for enterprise
 description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
-ms.date: 06/23/2023 
+ms.date: 10/27/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -81,7 +81,15 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro
 ## Allow or block Microsoft 365 App updates
-For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
+> [!IMPORTANT]
 > You must be an Intune Administrator to make changes to the setting.
 For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices.
 | Microsoft 365 App setting | Description |
 | ----- | ----- |
 | **Allow** | When set to **Allow**, Windows Autopatch moves all Autopatch managed devices to the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to **Block**. |
 | **Block** | When set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). |
 **To allow or block Microsoft 365 App updates:**
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 10/19/2023 
+ms.date: 10/27/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@ -23,6 +23,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 ## October 2023
 ### October feature releases or updates
 | Article | Description |
 | ----- | ----- |
 | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) | Added more information about the Allow setting in the [Microsoft 365 Apps for enterprise update controls](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) section |
 ## October service release
 | Message center post number | Description |
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@ -15,19 +15,19 @@ metadata:
  author: paolomatarazzo
  ms.author: paoloma
  manager: aaroncz
-  ms.date: 09/26/2023
+  ms.date: 10/31/2023
 highlightedContent:
  items:
  - title: Get started with Windows 11
    itemType: get-started
    url: /windows/whats-new/windows-11-overview
-  - title: Windows 11, version 22H2
+  - title: Windows 11, version 23H2
    itemType: whats-new
-    url: /windows/whats-new/whats-new-windows-11-version-22H2
+    url: /windows/whats-new/whats-new-windows-11-version-23h2
-  - title: Windows 11, version 22H2 group policy settings reference 
+  - title: Windows 11, version 23H2 group policy settings reference
    itemType: download
-    url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
+    url: https://www.microsoft.com/download/details.aspx?id=105668
  - title: Windows release health
    itemType: whats-new
    url: /windows/release-health
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
 - [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
 - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
 - [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
 - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
 - [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
 - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@ -26,7 +26,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
 - [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
 - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
 - [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@ -75,7 +75,7 @@ Customers who use services that depend on Windows diagnostic data, such as [Micr
 > [!NOTE]
 > The information in this section applies to the following versions of Windows:
 > - Windows 10, versions 20H2, 21H2, 22H2, and newer
-> - Windows 11, versions 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, 23H2, and newer
 Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration.
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@ -336,7 +336,7 @@ Tenants with billing addresses in countries or regions in the Middle East and Af
 > [!NOTE]
 > The information in this section applies to the following versions of Windows:
 > - Windows 10, versions 20H2, 21H2, 22H2, and newer
-> - Windows 11, versions 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, 23H2, and newer
 Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined.
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@ -1,6 +1,6 @@
 ---
-description: Learn more about the Windows 11, version 22H2 diagnostic data gathered.
+description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
-title: Required diagnostic events and fields for Windows 11, version 22H2
+title: Required diagnostic events and fields for Windows 11, versions 23H3 and 22H2
 keywords: privacy, telemetry
 ms.prod: windows-client
 ms.technology: itpro-privacy
@ -8,15 +8,15 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 09/26/2023
+ms.date: 10/31/2023
 ms.topic: reference
 ---
 # Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
-# Required diagnostic events and fields for Windows 11, version 22H2
+**Applies to**
 **Applies to**
 - Windows 11, version 23H2
 - Windows 11, version 22H2
 Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@ -199,13 +199,14 @@ The following fields are available:
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
-This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+This event sends blocking data about any compatibility blocking entries on the system that aren't directly related to specific applications or devices, to help keep Windows up to date.
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 The following fields are available:
 - **AppraiserVersion**  The version of the appraiser file generating the events.
 - **SdbEntries**  Deprecated in RS3.
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
@ -221,13 +222,14 @@ The following fields are available:
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 The following fields are available:
 - **AppraiserVersion**  The version of the appraiser file generating the events.
 - **SdbEntries**  Deprecated in RS3.
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
@ -239,6 +241,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
 - **SdbEntries**  Deprecated in RS3.
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
@ -273,14 +276,14 @@ The following fields are available:
 - **AssociatedDriverWillNotMigrate**  Will the driver associated with this plug-and-play device migrate?
 - **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
 - **BlockingDevice**  Is this PNP device blocking upgrade?
- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and doesn't have a driver included with the OS?
 - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
 - **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
 - **DisplayGenericMessageGated**  Indicates whether a generic message will be shown during Setup for this PNP device.
 - **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
 - **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
 - **DriverAvailableUplevel**  Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden**  Is there is a driver block on the device that has been overridden?
+- **DriverBlockOverridden**  Is there a driver block on the device that has been overridden?
 - **NeedsDismissAction**  Will the user would need to dismiss a warning during Setup for this device?
 - **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
 - **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
@ -311,7 +314,7 @@ The following fields are available:
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -350,7 +353,7 @@ The following fields are available:
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about non-blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -396,7 +399,7 @@ The following fields are available:
 - **NeedsInstallPostUpgradeData**  Will the file have a notification after upgrade to install a replacement for the app?
 - **NeedsNotifyPostUpgradeData**  Should a notification be shown for this file after upgrade?
 - **NeedsReinstallPostUpgradeData**  Will the file have a notification after upgrade to reinstall the app?
- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but isn't blocking upgrade).
 ### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd
@ -498,7 +501,7 @@ The following fields are available:
 - **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
 - **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
 - **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **BoeProgramId**  If there's no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
 - **CompanyName**  The company name of the vendor who developed this file.
 - **FileId**  A hash that uniquely identifies a file.
 - **FileVersion**  The File version field from the file metadata under Properties -&gt; Details.
@ -939,10 +942,10 @@ The following fields are available:
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
 - **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
 - **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it's understood that data events won't be received from this device.
 - **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
 - **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
 - **RunResult**  The hresult of the Appraiser diagnostic data run.
 - **ScheduledUploadDay**  The day scheduled for the upload.
 - **SendingUtc**  Indicates whether the Appraiser client is sending events during the current diagnostic data run.
@ -956,7 +959,7 @@ The following fields are available:
 ### Microsoft.Windows.Appraiser.General.WmdrmAdd
-This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data doesn't indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -968,7 +971,7 @@ The following fields are available:
 - **WmdrmApiResult**  Raw value of the API used to gather DRM state.
 - **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
 - **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased.
- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup wasn't dismissed.
 - **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
 - **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
@ -995,7 +998,7 @@ The following fields are available:
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
- **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
+- **CommercialId**  Represents the GUID for the commercial entity that the device is a member of.  Will be used to reflect insights back to customers.
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
@ -1007,7 +1010,7 @@ The following fields are available:
 - **MDMServiceProvider**  A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@ -1018,7 +1021,7 @@ This event sends data about the memory on the device, including ROM and RAM. The
 The following fields are available:
 - **TotalPhysicalRAM**  Represents the physical memory (in MB).
- **TotalVisibleMemory**  Represents the memory that is not reserved by the system.
+- **TotalVisibleMemory**  Represents the memory that isn't reserved by the system.
 ### Census.Network
@ -1028,8 +1031,8 @@ This event sends data about the mobile and cellular network used by the device (
 The following fields are available:
 - **CellularModemHWInstanceId0**  HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
 - **MCC0**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
 - **MCC1**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
 - **MNC0**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
@ -1046,7 +1049,7 @@ The following fields are available:
 ### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it's a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
 The following fields are available:
@ -1063,7 +1066,7 @@ The following fields are available:
 - **IsPortableOperatingSystem**  Retrieves whether OS is running Windows-To-Go
 - **IsSecureBootEnabled**  Retrieves whether Boot chain is signed under UEFI.
 - **LanguagePacks**  The list of language packages installed on the device.
- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we're running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
 - **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
@ -1080,7 +1083,7 @@ The following fields are available:
 - **ServiceMachinePort**  Retrieves the port of the KMS host used for anti-piracy.
 - **ServiceProductKeyID**  Retrieves the License key of the KMS
 - **SharedPCMode**  Returns Boolean for devices that have enabled the configuration EnableSharedPCMode.
- **Signature**  Retrieves if it is a signature machine sold by Microsoft store.
+- **Signature**  Retrieves if it's a signature machine sold by Microsoft store.
 - **SLICStatus**  Whether a SLIC table exists on the device.
 - **SLICVersion**  Returns OS type/version from SLIC table.
@ -1148,12 +1151,6 @@ The following fields are available:
 - **Language**  String containing the incompatible language pack detected.
 ### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
 This event fires when HVCI is already enabled so no need to continue auto-enablement.
 ## Common data extensions
 ### Common Data Extensions.app
@ -1192,7 +1189,7 @@ Describes the device-related fields.
 The following fields are available:
 - **deviceClass**  The device classification. For example, Desktop, Server, or Mobile.
- **localId**  A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **localId**  A locally-defined unique ID for the device. This isn't the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
 - **make**  Device manufacturer.
 - **model**  Device model.
@ -1262,7 +1259,7 @@ The following fields are available:
 - **authId**  This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
 - **locale**  The language and region.
- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+- **localId**  Represents a unique user identity that is created locally and added by the client. This isn't the user's account ID.
 ### Common Data Extensions.utc
@ -1285,7 +1282,7 @@ The following fields are available:
 - **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
 - **providerGuid**  The ETW provider ID associated with the provider name.
 - **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
- **seq**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seq**  Represents the sequence field used to track absolute order of uploaded events. It's an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
 - **sqmId**  The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
 - **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
 - **wcmp**  The Windows Shell Composer ID.
@ -1316,6 +1313,7 @@ The following fields are available:
 - **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
 - **xid**  A list of base10-encoded XBOX User IDs.
 ## Common data fields
 ### Ms.Device.DeviceInventoryChange
@ -1330,7 +1328,6 @@ The following fields are available:
 - **objectType**  Indicates the object type that the event applies to.
 - **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
 ## Component-based servicing events
 ### CbsServicingProvider.CbsCapabilitySessionFinalize
@ -1357,11 +1354,11 @@ The following fields are available:
 ### CbsServicingProvider.CbsLateAcquisition
-This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+This event sends data to indicate if some Operating System packages couldn't be updated as part of an upgrade, to help keep Windows up to date.
 The following fields are available:
- **Features**  The list of feature packages that could not be updated.
+- **Features**  The list of feature packages that couldn't be updated.
 - **RetryID**  The ID identifying the retry attempt to update the listed packages.
@ -1440,12 +1437,12 @@ The following fields are available:
 ### TelClientSynthetic.AbnormalShutdown_0
-This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event sends data about boot IDs for which a normal clean shutdown wasn't observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
 The following fields are available:
 - **AbnormalShutdownBootId**  BootId of the abnormal shutdown being reported by this event.
- **AbsCausedbyAutoChk**  This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AbsCausedbyAutoChk**  This flag is set when AutoCheck forces a device restart to indicate that the shutdown wasn't an abnormal shutdown.
 - **AcDcStateAtLastShutdown**  Identifies if the device was on battery or plugged in.
 - **BatteryLevelAtLastShutdown**  The last recorded battery level.
 - **BatteryPercentageAtLastShutdown**  The battery percentage at the last shutdown.
@ -1486,7 +1483,7 @@ The following fields are available:
 - **PowerButtonPressLastPowerWatchdogStage**  Progress while the monitor is being turned on.
 - **PowerButtonPressPowerWatchdogArmed**  Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
 - **ShutdownDeviceType**  Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
- **SleepCheckpoint**  Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpoint**  Provides the last checkpoint when there's a failure during a sleep transition.
 - **SleepCheckpointSource**  Indicates whether the source is the EFI variable or bootstat file.
 - **SleepCheckpointStatus**  Indicates whether the checkpoint information is valid.
 - **StaleBootStatData**  Identifies if the data from bootstat is stale.
@ -1514,26 +1511,26 @@ The following fields are available:
 ### TelClientSynthetic.AuthorizationInfo_Startup
-This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event is fired by UTC at startup to signal what data we're allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
 The following fields are available:
 - **CanAddMsaToMsTelemetry**  True if we can add MSA PUID and CID to telemetry, false otherwise.
- **CanCollectAnyTelemetry**  True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectAnyTelemetry**  True if we're allowed to collect partner telemetry, false otherwise.
- **CanCollectClearUserIds**  True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs.
+- **CanCollectClearUserIds**  True if we're allowed to collect clear user IDs, false if we can only collect omitted IDs.
 - **CanCollectCoreTelemetry**  True if we can collect CORE/Basic telemetry, false otherwise.
 - **CanCollectHeartbeats**  True if we can collect heartbeat telemetry, false otherwise.
 - **CanCollectOsTelemetry**  True if we can collect diagnostic data telemetry, false otherwise.
 - **CanCollectWindowsAnalyticsEvents**  True if we can collect Windows Analytics data, false otherwise.
- **CanIncludeDeviceNameInDiagnosticData**  True if we are allowed to add the device name to diagnostic data, false otherwise.
+- **CanIncludeDeviceNameInDiagnosticData**  True if we're allowed to add the device name to diagnostic data, false otherwise.
 - **CanPerformDiagnosticEscalations**  True if we can perform diagnostic escalation collection, false otherwise.
 - **CanPerformSiufEscalations**  True if we can perform System Initiated User Feedback escalation collection, false otherwise.
 - **CanReportScenarios**  True if we can report scenario completions, false otherwise.
 - **CanReportUifEscalations**  True if we can perform User Initiated Feedback escalation collection, false otherwise.
 - **CanUseAuthenticatedProxy**  True if we can use an authenticated proxy to send data, false otherwise.
- **IsProcessorMode**  True if it is Processor Mode, false otherwise.
+- **IsProcessorMode**  True if it's Processor Mode, false otherwise.
 - **PreviousPermissions**  Bitmask of previous telemetry state.
- **TransitionFromEverythingOff**  True if we are transitioning from all telemetry being disabled, false otherwise.
+- **TransitionFromEverythingOff**  True if we're transitioning from all telemetry being disabled, false otherwise.
 ### TelClientSynthetic.ConnectivityHeartBeat_0
@ -1601,7 +1598,7 @@ The following fields are available:
 - **VortexHttpAttempts**  Number of attempts to contact Vortex.
 - **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
 - **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponseFailures**  Number of Vortex responses that aren't 2XX or 400.
 - **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
@ -1625,7 +1622,7 @@ The following fields are available:
 ### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
-This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
+This event sends data about the driver installation once it's completed. The data collected with this event is used to help keep Windows up to date and performing properly.
 The following fields are available:
@ -1667,7 +1664,7 @@ The following fields are available:
 ### Microsoft.Windows.FaultReporting.AppCrashEvent
-This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
 The following fields are available:
@ -1677,7 +1674,7 @@ The following fields are available:
 - **AppVersion**  The version of the app that has crashed.
 - **ExceptionCode**  The exception code returned by the process that has crashed.
 - **ExceptionOffset**  The address where the exception had occurred.
- **Flags**  Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **Flags**  Flags indicating how reporting is done. For example, queue the report, don't offer JIT debugging, or don't terminate the process after reporting.
 - **FriendlyAppName**  The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
 - **IsFatal**  True/False to indicate whether the crash resulted in process termination.
 - **ModName**  Exception module name (e.g. bar.dll).
@ -1731,7 +1728,7 @@ The following fields are available:
 ### Microsoft.Windows.HangReporting.AppHangEvent
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
 The following fields are available:
@ -1750,13 +1747,38 @@ The following fields are available:
 - **TargetAsId**  The sequence number for the hanging process.
 - **TypeCode**  Bitmap describing the hang type.
 - **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it's waiting.
- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it's waiting.
 - **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
 ## Holographic events
 ### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
 This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
 The following fields are available:
 - **SessionID**  Unique value for each attempt.
 - **TargetAsId**  The sequence number for the process.
 - **windowInstanceId**  Unique value for each window instance.
 ### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
 This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
 The following fields are available:
 - **EventHistory**  Unique number of event history.
 - **ExternalComponentState**  State of external component.
 - **LastEvent**  Unique number of last event.
 - **SessionID**  Unique value for each attempt.
 - **TargetAsId**  The sequence number for the process.
 - **windowInstanceId**  Unique value for each window instance.
 ### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
 This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
@ -1821,7 +1843,7 @@ The following fields are available:
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they'll always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
 The following fields are available:
@ -2124,6 +2146,23 @@ The following fields are available:
 - **ServiceName**  The name of the driver or service attached to the device.
 ### Microsoft.Windows.Kernel.Power.AbnormalShutdown
 This event provides diagnostic information of the most recent abnormal shutdown.
 The following fields are available:
 - **BootEnvironment**  Errors from boot environment.
 - **BootStatValid**  Status of bootstat file.
 - **Bugcheck**  Bugcheck information.
 - **CrashDump**  Crash dump information.
 - **CurrentBootId**  ID of this boot.
 - **FirmwareReset**  System reset by firmware.
 - **LastShutdownBootId**  BootID of last shutdown.
 - **LongPowerButtonHold**  Long power button hold information.
 - **SystemStateTransition**  State transition information.
 - **Watchdog**  Watchdog information.
 ## Microsoft Edge events
 ### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
@ -2133,7 +2172,7 @@ This Ping event sends a detailed inventory of software and hardware information
 The following fields are available:
 - **appAp**  Any additional parameters for the specified application. Default: ''.
- **appAppId**  The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appAppId**  The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
 - **appBrandCode**  The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
 - **appChannel**  An integer indicating the channel of the installation (i.e. Canary or Dev).
 - **appClientId**  A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -2141,15 +2180,15 @@ The following fields are available:
 - **appCohortHint**  A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
 - **appCohortName**  A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
 - **appConsentState**  Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
+- **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments**  A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appExperiments**  A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
 - **appInstallTime**  The product install time in seconds. '0' if unknown. Default: '-1'.
 - **appInstallTimeDiffSec**  The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
 - **appLang**  The language of the product install, in IETF BCP 47 representation. Default: ''.
 - **appLastLaunchTime**  The time when browser was last launched.
- **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
+- **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
 - **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
@ -2161,31 +2200,31 @@ The following fields are available:
 - **appPingEventDownloadMetricsUrl**  For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
 - **appPingEventDownloadTimeMs**  For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
 - **appPingEventErrorCode**  The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult**  An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
+- **appPingEventEventResult**  An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType**  An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventEventType**  An enum indicating the type of the event. Compatible clients MUST transmit this attribute. 
 - **appPingEventExtraCode1**  Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
 - **appPingEventInstallTimeMs**  For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
 - **appPingEventNumBytesDownloaded**  The number of bytes downloaded for the specified application. Default: '0'.
- **appPingEventPackageCacheResult**  Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply.
+- **appPingEventPackageCacheResult**  Whether there's an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field doesn't apply.
 - **appPingEventSequenceId**  An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
 - **appPingEventSourceUrlIndex**  For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
 - **appPingEventUpdateCheckTimeMs**  For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
 - **appReferralHash**  The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
 - **appUpdateCheckTtToken**  An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion**  The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion**  The version of the product install. Default: '0.0.0.0'.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType**  A string indicating the type of the event. Please see the wiki for additional information.
+- **eventType**  A string indicating the type of the event.
 - **expETag**  An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
 - **hwDiskType**  Device’s hardware disk type.
- **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware doesn't support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware doesn't support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware doesn't support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware doesn't support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
 - **hwLogicalCpus**  Number of logical CPUs of the device.
 - **hwPhysmemory**  The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
 - **isMsftDomainJoined**  '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
@ -2206,26 +2245,10 @@ The following fields are available:
 - **requestRequestId**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
 - **requestSessionCorrelationVectorBase**  A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
 - **requestSessionId**  A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and shouldn't be counted toward normal metrics. Default: ''.
 - **requestUid**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
 ### Microsoft.Edge.Crashpad.HangEvent
 This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
 The following fields are available:
 - **app_name**  The name of the hanging process.
 - **app_session_guid**  Encodes the boot session, process, and process start time.
 - **app_version**  The version of the hanging process.
 - **client_id_hash**  Hash of the browser client id to help identify the installation.
 - **etag**  Identifier to help identify running browser experiments.
 - **hang_source**  Identifies how the hang was detected.
 - **process_type**  The type of the hanging browser process, for example, gpu-process, renderer, etc.
 - **stack_hash**  A hash of the hanging stack. Currently not used or set to zero.
 ## OneSettings events
 ### Microsoft.Windows.OneSettingsClient.Status
@ -2242,7 +2265,7 @@ The following fields are available:
 ### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled
-This event is the result of an attempt to cancel ZDP task.
+This event is the result of an attempt to cancel ZDP task
 The following fields are available:
@ -2252,30 +2275,20 @@ The following fields are available:
 ## Other events
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+### Microsoft.Edge.Crashpad.HangEvent
-This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
 The following fields are available:
- **SessionID**  Unique value for each attempt.
+- **app_name**  The name of the hanging process.
- **TargetAsId**  The sequence number for the process.
+- **app_session_guid**  Encodes the boot session, process, and process start time.
- **windowInstanceId**  Unique value for each window instance.
+- **app_version**  The version of the hanging process.
-
+- **client_id_hash**  Hash of the browser client id to help identify the installation.
-
+- **etag**  Identifier to help identify running browser experiments.
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
+- **hang_source**  Identifies how the hang was detected.
-
+- **process_type**  The type of the hanging browser process, for example, gpu-process, renderer, etc.
-This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+- **stack_hash**  A hash of the hanging stack. Currently not used or set to zero.
 The following fields are available:
 - **EventHistory**  Unique number of event history.
 - **ExternalComponentState**  State of external component.
 - **LastEvent**  Unique number of last event.
 - **SessionID**  Unique value for each attempt.
 - **TargetAsId**  The sequence number for the process.
 - **windowInstanceId**  Unique value for each window instance.
 ### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
@ -2302,6 +2315,77 @@ The following fields are available:
 - **SignatureRing**  Signature ring used for deployments
 - **SigVersion**  Version of signature VDMs
 ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
 This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
 The following fields are available:
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  The global event counter for all telemetry on the device.
 - **UpdateAssistantStateDownloading**  True at the start Downloading.
 - **UpdateAssistantStateInitializingApplication**  True at the start of the state InitializingApplication.
 - **UpdateAssistantStateInitializingStates**  True at the start of InitializingStates.
 - **UpdateAssistantStateInstalling**  True at the start of Installing.
 - **UpdateAssistantStatePostInstall**  True at the start of PostInstall.
 - **UpdateAssistantVersion**  Current package version of UpdateAssistant.
 ### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
 This event fires when HVCI is already enabled so no need to continue auto-enablement.
 ### ShellWNSRegistration.SLSChannelRegistrationFailed
 This event is logged when the upload of a channel URI to the SLS service fails.
 The following fields are available:
 - **baseData**  JSON blob.
 - **baseType**  PartB schema type.
 - **RetryAttempt**  The retry attempt number for attempting to open and register the channel.
 - **RetryTimeInMilliseconds**  The amount of time taken to retry the channel request in milliseconds.
 ### ShellWNSRegistration.SLSChannelRegistrationSuccess
 This event is logged when a channel URI is successfully uploaded to the SLS service.
 The following fields are available:
 - **RegistrationPayload**  JSON payload containing Channel Uri and other data uploaded to SLS.
 - **RetryAttempts**  The retry attempt number for attempting to open and register the channel.
 - **RetryTimeInMilliseconds**  The amount of time taken to retry the channel request in milliseconds.
 - **TitleId**  TitleId for which channel is uploaded.
 ### ShellWNSRegistration.WNSChannelRequestFailed
 This event is logged when a Channel Request fails. Contains error code and AppUserModelId for which channel was requested.
 The following fields are available:
 - **baseData**  JSON blob.
 - **baseType**  PartB schema type.
 - **RetryAttempt**  The retry attempt number for attempting to open and register the channel.
 - **RetryTimeInMilliseconds**  The amount of time taken to retry the channel request in milliseconds.
 ### ShellWNSRegistration.WNSChannelRequestSuccess
 This event is triggered immediately following the completion of a Channel Request API call. Contains channel URI and AppUserModelId for which channel was requested.
 The following fields are available:
 - **AppUserModelId**  Unique identifier for app requesting a channel.
 - **ChannelUri**  Channel URI returned by WNS.
 - **RetryAttempt**  The retry attempt number for attempting to open and register the channel.
 - **RetryTimeInMilliseconds**  The amount of time taken to retry the channel request in milliseconds.
 ## Privacy consent logging events
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@ -2320,13 +2404,13 @@ The following fields are available:
 ### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation
-This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
+This event provides information about move or deletion of a file or a directory that is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
 The following fields are available:
- **Path**  Path to the file or the directory which is being moved or deleted.
+- **Path**  Path to the file or the directory that is being moved or deleted.
- **Process**  Path to the process which is requesting the move or the deletion.
+- **Process**  Path to the process that is requesting the move or the deletion.
- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **SessionId**   Identifier to correlate this component's telemetry with that of others.
 - **TargetPath**  (Optional) If the operation is a move, the target path to which the file or directory is being moved.
@ -2337,7 +2421,7 @@ Provides details about error in the functioning of upgrade data safety monitorin
 The following fields are available:
 - **Message**  Text string describing the error condition.
- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
 - **Status**  	NTSTATUS code related to the error.
@ -2526,24 +2610,6 @@ The following fields are available:
 - **UpdateAttempted**  Indicates if installation of the current update has been attempted before.
 ## Update Assistant events
 ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
 This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
 The following fields are available:
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  The global event counter for all telemetry on the device.
 - **UpdateAssistantStateDownloading**  True at the start Downloading.
 - **UpdateAssistantStateInitializingApplication**  True at the start of the state InitializingApplication.
 - **UpdateAssistantStateInitializingStates**  True at the start of InitializingStates.
 - **UpdateAssistantStateInstalling**  True at the start of Installing.
 - **UpdateAssistantStatePostInstall**  True at the start of PostInstall.
 - **UpdateAssistantVersion**  Current package version of UpdateAssistant.
 ## Update events
 ### Update360Telemetry.FellBackToDownloadingAllPackageFiles
@ -2695,7 +2761,7 @@ The following fields are available:
 ### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for an update. The data collected with this event is used to help keep Windows secure and up to date.
 The following fields are available:
@ -2755,7 +2821,7 @@ The following fields are available:
 - **FlightId**  Unique ID for the flight (test instance version).
 - **IsSuspendable**  Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
 - **ObjectId**  The unique value for each Update Agent mode.
- **Reason**  Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
+- **Reason**  Indicates the HResult why the machine couldn't be suspended. If it's successfully suspended, the result is 0.
 - **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
 - **ScenarioId**  The ID of the update scenario.
 - **SessionId**  The ID of the update attempt.
@ -2804,7 +2870,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@ -2826,7 +2892,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
@ -2848,7 +2914,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  Windows Update client ID.
@ -2930,7 +2996,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@ -2977,8 +3043,8 @@ The following fields are available:
 - **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
 - **usingBackupFeatureAssessment**  Relying on backup feature assessment.
 - **usingBackupQualityAssessment**  Relying on backup quality assessment.
- **usingCachedFeatureAssessment**  WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedFeatureAssessment**  WaaS Medic run didn't get OS build age from the network on the previous run.
- **usingCachedQualityAssessment**  WaaS Medic run did not get OS revision age from the network on the previous run.
+- **usingCachedQualityAssessment**  WaaS Medic run didn't get OS revision age from the network on the previous run.
 - **uusVersion**  The version of the UUS package.
 - **versionString**  Version of the WaaSMedic engine.
 - **waasMedicRunMode**  Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
@ -3120,7 +3186,7 @@ The following fields are available:
 ### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
 The following fields are available:
@ -3225,7 +3291,7 @@ The following fields are available:
 ### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
 The following fields are available:
@ -3348,12 +3414,12 @@ The following fields are available:
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
-This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario that is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
 The following fields are available:
 - **activated**  Whether the entire device manifest update is considered activated and in use.
- **analysisErrorCount**  The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **analysisErrorCount**  The number of driver packages that couldn't be analyzed because errors occurred during analysis.
 - **flightId**  Unique ID for each flight.
 - **missingDriverCount**  The number of driver packages delivered by the device manifest that are missing from the system.
 - **missingUpdateCount**  The number of updates in the device manifest that are missing from the system.
@ -3364,8 +3430,8 @@ The following fields are available:
 - **sessionId**  Unique value for each update session.
 - **summary**  A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
 - **summaryAppendError**  A Boolean indicating if there was an error appending more information to the summary string.
- **truncatedDeviceCount**  The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDeviceCount**  The number of devices missing from the summary string because there isn't enough room in the string.
- **truncatedDriverCount**  The number of driver packages missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount**  The number of driver packages missing from the summary string because there isn't enough room in the string.
 - **unpublishedCount**  How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
 - **updateId**  The unique ID for each update.
@ -3506,12 +3572,12 @@ This event is fired when the Download stage is paused.
 The following fields are available:
- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId**  Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
 - **CallerName**  Name of application making the Windows Update request. Used to identify context of request.
 - **ClassificationId**  Classification identifier of the update content.
 - **DownloadPriority**  Indicates the priority of the download activity.
 - **EventType**  Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
- **FlightId**  Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FlightId**  Secondary status code for certain scenarios where StatusCode wasn't specific enough.
 - **HandlerInfo**  Blob of Handler related information.
 - **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.).
 - **Props**  Commit Props {MergedUpdate}
@ -3524,13 +3590,11 @@ The following fields are available:
 ### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityGeneral
-Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
 The following fields are available:
 - **CallerName**  Name of the application making the Windows Update Request. Used to identify context of the request.
 - **EndpointUrl**  Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode wasn't specific enough.
 - **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
 - **RawMode**  Raw unparsed mode string from the SLS response. May be null if not applicable.
 - **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@ -32,7 +32,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
 - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
 - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@ -15,7 +15,7 @@
          href: Microsoft-DiagnosticDataViewer.md
    - name: Required Windows diagnostic data events and fields
      items: 
-        - name: Windows 11, version 22H2
+        - name: Windows 11, versions 23H2 and 22H2
          href: required-diagnostic-events-fields-windows-11-22H2.md
        - name: Windows 11, version 21H2
          href: required-windows-11-diagnostic-events-and-fields.md
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@ -15,6 +15,7 @@ ms.topic: reference
 # Windows 10, version 1709 and later and Windows 11 optional diagnostic data
 Applies to:
 - Windows 11, version 23H2
 - Windows 11, version 22H2
 - Windows 11, version 21H2
 - Windows 10, version 22H2
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@ -47,6 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.<br/> NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
 | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.<br/> NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
 | **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
 | **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
 ## Windows Defender Application Control file rule levels
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@ -49,8 +49,6 @@ To enable memory integrity on Windows devices with supporting hardware throughou
 Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
 To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
 ### Enable memory integrity using Intune
 Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).
--- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
@ -1,8 +1,8 @@
 ---
-title: How a Windows Defender System Guard helps protect Windows
+title: How Windows Defender System Guard helps protect Windows
-description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works.
+description: Learn how Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof.
 ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 10/25/2023
 ms.topic: conceptual
 ---
@ -19,15 +19,11 @@ Windows Defender System Guard reorganizes the existing Windows system integrity
 ### Static Root of Trust for Measurement (SRTM)
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
+With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
+With Windows 10 running on modern hardware, a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
 This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
 This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
-As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
+As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
 Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
 Each option has a drawback:
@ -37,9 +33,7 @@ Also, a bug fix for UEFI code can take a long time to design, build, retest, val
 ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
-[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
+[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
 This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 ![System Guard Secure Launch.](images/system-guard-secure-launch.png)
@ -47,9 +41,7 @@ Secure Launch simplifies management of SRTM measurements because the launch code
 ### System Management Mode (SMM) protection
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
 Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
 SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
 To defend against this, two techniques are used:
@ -60,14 +52,13 @@ Paging protection can be implemented to lock certain code tables to be read-only
 A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
-SMM protection is built on top of the Secure Launch technology and requires it to function.
+SMM protection is built on top of the Secure Launch technology and requires it to function. In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
 In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
 ## Validating platform integrity after Windows is running (run time)
 While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity.
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+As Windows boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few.
 ![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png)
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@ -190,7 +190,7 @@ sections:
          Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
          > [!NOTE]
-          > The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
+          > The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
      - question: Which is a better or more secure for of authentication, key or certificate?
        answer: |
          Both types of authentication provide the same security; one is not more secure than the other.
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
-![Microsoft Entra join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
+![Microsoft Entra join authentication to Active Directory.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
 | Phase  | Description  |
 | :----: | :----------- |
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@ -42,7 +42,7 @@ Hybrid Windows Hello for Business needs two directories:
 - An on-premises Active Directory
 - A Microsoft Entra tenant
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\
+The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
 During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
 > [!NOTE]
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@ -411,7 +411,7 @@ The following smart card-related Group Policy settings are in Computer Configura
 | Group Policy setting and registry key    |  Default   | Description   |
 |------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card<br><br>**scforceoption**   |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can sign in to the computer only by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.         |
+| Interactive logon: Require smart card<br><br>**scforceoption**   |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can sign in to the computer only by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.<br><br>NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).<br>         |
 | Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services.  |
 From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
--- a/windows/security/identity-protection/web-sign-in/index.md
+++ b/windows/security/identity-protection/web-sign-in/index.md
@ -25,7 +25,7 @@ This article describes how to configure Web sign-in and the supported key scenar
 To use web sign-in, the clients must meet the following prerequisites:
 - Windows 11, version 22H2 with [5030310][KB-1], or later
- Must be Microsoft Entra joined
+- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join)
 - Must have Internet connectivity, as the authentication is done over the Internet
 [!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@ -3,66 +3,69 @@ title: Get support for security baselines
 description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 07/11/2023
+ms.date: 10/31/2023
 ---
 # Get Support
-**What is the Microsoft Security Compliance Manager (SCM)?**
+## Frequently asked questions
 ### What is the Microsoft Security Compliance Manager (SCM)?
 The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO Backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
 More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-**Where can I get an older version of a Windows baseline?**
+### Where can I get an older version of a Windows baseline?
-Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
 - [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
 - [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
 - [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
 - [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-**What file formats are supported by the new SCT?**
+### What file formats are supported by the new SCT?
-The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported.
+The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
-**Does SCT support Desired State Configuration (DSC) file format?**
+### Does SCT support Desired State Configuration (DSC) file format?
 No. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration.
-**Does SCT support the creation of Microsoft Configuration Manager DCM packs?**
+### Does SCT support the creation of Microsoft Configuration Manager DCM packs?
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). For a tool that supports conversion of GPO Backups to DSC format, see [BaselineManagement](https://github.com/Microsoft/BaselineManagement).
-**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?
 No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit likewise doesn't include SCAP support.
-## Version Matrix
+## Version matrix
-**Client Versions**:
+### Client versions
-| Name | Build | Baseline Release Date | Security Tools |
+| Name | Build | Baseline release date | Security tools |
 |--|--|--|--|
 | Windows 11 | [23H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618) <br> | October 2023<br> | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) <br> | September 2022<br> | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) <br> [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update) | October 2022<br>December 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-**Server Versions**:
+### Server versions
-| Name                   | Build                                                                                                                                                       | Baseline Release Date | Security Tools                                                      |
+| Name | Build | Baseline Release Date | Security Tools |
-|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|---------------------------------------------------------------------|
+|--|--|--|--|
-| Windows Server 2022    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685)                          | September 2021        | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2019    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018         | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2016    | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)                                      | October 2016          | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)                                      | August 2014           | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-**Microsoft Products**:
+### Microsoft products
-| Name                                            | Details                                                                                                                                                    | Security Tools                                                      |
+| Name | Details | Security Tools |
-|-------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
+|--|--|--|
 | Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Microsoft Edge, version 107                     | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443)                      | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 ## Related articles
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@ -1,12 +1,12 @@
 ---
 title: Microsoft Security Compliance Toolkit Guide
-description: This article describes how to use Security Compliance Toolkit in your organization
+description: This article describes how to use Security Compliance Toolkit in your organization.
 ms.localizationpriority: medium
 ms.collection:
  - highpri
  - tier3
 ms.topic: conceptual
-ms.date: 07/11/2023
+ms.date: 10/31/2023
 ---
 # Microsoft Security Compliance Toolkit - How to use
@ -20,6 +20,7 @@ The SCT enables administrators to effectively manage their enterprise's Group Po
 The Security Compliance Toolkit consists of:
 - Windows 11 security baseline
  - Windows 11, version 23H2
  - Windows 11, version 22H2
  - Windows 11, version 21H2
 - Windows 10 security baselines
@ -38,7 +39,7 @@ The Security Compliance Toolkit consists of:
  - Office 2016
  - Microsoft 365 Apps for Enterprise Version 2206
 - Microsoft Edge security baseline
-  - Edge version 114
+  - Microsoft Edge version 114
 - Tools
  - Policy Analyzer
  - Local Group Policy Object (LGPO)
@ -68,12 +69,12 @@ Documentation for the LGPO tool can be found on the [Microsoft Security Guidance
 ## What is the Set Object Security tool?
-`SetObjectSecurity.exe` enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg file compatible representation of the security descriptor for a REG_BINARY registry value.
+`SetObjectSecurity.exe` enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a `.reg` file compatible representation of the security descriptor for a REG_BINARY registry value.
 Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 ## What is the GPO to Policy Rules tool?
-Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+Automate the conversion of GPO backups to Policy Analyzer `.PolicyRules` files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
 Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
--- a/windows/security/operating-system-security/system-security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@ -2,7 +2,7 @@
 title: Secure Boot and Trusted Boot
 description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
 ms.topic: conceptual
-ms.date: 09/21/2021
+ms.date: 10/30/2023
 ms.reviewer: jsuther
 appliesto:
  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@ -12,7 +12,9 @@
    - name: Prepare for Windows 11
      href: windows-11-prepare.md
    - name: Windows 11 enterprise feature control
-      href: temporary-enterprise-feature-control.md      
+      href: temporary-enterprise-feature-control.md
    - name: What's new in Windows 11, version 23H2
      href: whats-new-windows-11-version-23h2.md
    - name: What's new in Windows 11, version 22H2
      href: whats-new-windows-11-version-22h2.md
 - name: Windows 10
@ -36,6 +38,6 @@
    - name: Deprecated Windows features
      href: deprecated-features.md
    - name: Resources for deprecated features
-      href: deprecated-features-resources.md       
+      href: deprecated-features-resources.md
    - name: Removed Windows features
      href: removed-features.md
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@ -15,12 +15,12 @@ metadata:
  author: aczechowski
  ms.author: aaroncz
  manager: aaroncz
-  ms.date: 11/14/2022
+  ms.date: 10/31/2023
  localization_priority: medium
 landingContent:
-  - title: Windows 11
+  - title: Windows 11 planning
    linkLists:
      - linkListType: overview
        links:
@ -35,9 +35,18 @@ landingContent:
          - text: Windows commercial licensing overview
            url: windows-licensing.md
  - title: Windows 11
    linkLists:
      - linkListType: whats-new
        links:
          - text: What's new in Windows 11, version 23H2
            url: whats-new-windows-11-version-23h2.md
          - text: What's new in Windows 11, version 22H2
            url: whats-new-windows-11-version-22h2.md
  - title: Windows 10
    linkLists:
-      - linkListType: overview
+      - linkListType: whats-new
        links:
          - text: What's new in Windows 10, version 22H2
            url: whats-new-windows-10-version-22h2.md
--- a/windows/whats-new/whats-new-windows-11-version-23h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@ -0,0 +1,125 @@
 ---
 title: What's new in Windows 11, version 23H2 for IT pros
 description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
 manager: aaroncz
 ms.prod: windows-client
 ms.author: mstewart
 author: mestew
 ms.localizationpriority: medium
 ms.topic: conceptual
 ms.collection:
  - highpri
  - tier2
 ms.technology: itpro-fundamentals
 ms.date: 10/31/2023
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 23H2</a>
 ---
 # What's new in Windows 11, version 23H2
 <!--6681501-->
 Windows 11, version 23H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 22H2. This article lists the new and updated features IT Pros should know.
 Windows 11, version 23H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
 - **Windows 11 Pro**: Serviced for 24 months from the release date.
 - **Windows 11 Enterprise**: Serviced for 36 months from the release date.
 Devices updating from Windows 11, version 22H2 use an enablement package. Most the files for the 23H2 update already exist on Windows 11, version 22H2 devices that have installed a recent monthly security update. Many of the new features have already been enabled on Windows 11, version 22H2 clients. However, some features are just in an inactive and dormant state because they are under [temporary enterprise feature control](temporary-enterprise-feature-control.md). These new features remain dormant until they're turned on through the enablement package, a small, quick-to-install switch that activates all of the Windows 11, version 23H2 features.
 Windows 11, version 23H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 23H2 update](https://blogs.windows.com/windowsexperience/?p=178531). Review the [Windows 11, version 23H2 Windows IT Pro blog post](https://aka.ms/new-in-23H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
 To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
 ## Features no longer under temporary enterprise control
 [Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
 When a manged Windows 11, version 22H2 device installs version 23H2, the following features will no longer under be under temporary enterprise feature control:
 | Feature | KB article where the feature was introduced | 
 |---|---|
 | Touch-optimized taskbar for 2-in-1 devices <!--8092554, WIP.25197--> | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913)  | 
 | Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** <!--8092554, WIP.25300-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  | 
 | Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.<!--8092554, WIP.23511 & WIP.25281, AllowWindowsSpotlight-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  |
 | Copilot in Windows <!--8092554, WIP.23493 -->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  |
 | [Dev Home](/windows/dev-home/) <!--8092554, WIP.23506-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  |
 | [Dev Drive](/windows/dev-drive/) <!--8092554, WIP.23466-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  | 
 ## Features added to Windows 11 since version 22H2
 Starting with Windows 11, version 22H2, new features and enhancements were introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an optional nonsecurity preview release and gradually rolled out to clients. These new features are released later as part of a monthly security update release. For more information about continuous innovation, see [Update release cycle for Windows clients](/windows/deployment/update/release-cycle#continuous-innovation-for-windows-11) Some of the features were released within the past year's continuous innovation updates and carry forward into the 23H2 annual feature update include:
 ### Passkeys in Windows
 <!--8138341-->
 Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys).
 ### Windows passwordless experience
 <!--8138336-->
 Windows passwordless experience is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.
 When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/).
 ### Web sign-in for Windows
 <!--8344016-->
 You can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in).
 ### Declared configuration protocol
 <!--7771694 --> 
 **Declared configuration protocol** is a new protocol for device configuration management that's based on a desired state model and uses OMA-DM SyncML protocol. It allows the server to provide the device with a collection of settings for a specific scenario, and the device to handle the configuration request and maintain its state. For more information, see [What is the declared configuration protocol](/windows/client-management/declared-configuration).
 ### Education themes
 <!--7771679-->
 You can deploy education themes to your devices. The education themes are designed for students using devices in a school. For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
 ### Temporary enterprise feature control
 <!--7790977-->
 Controls were added to temporarily turn off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For more information, see [Temporary enterprise feature control](temporary-enterprise-feature-control.md).
 ### Multi-app kiosk
 <!--6444738-->
 You can configure a multi-app kiosk, which displays a customized start menu of allowed apps. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps).
 ### Copilot in Windows
 <!--8138371-->
 Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. For more information, see [Manage Copilot in Windows](/windows/client-management/manage-windows-copilot).
 ### Windows Hello for Business authentication improvement
 <!--7771685-->
 Peripheral face and fingerprint sensors can be used for Windows Hello for Business authentication on devices where Enhanced Sign-in Security (Secure Biometrics) has been enabled at the factory. Previously this functionality was blocked. For more information, see [Common questions about Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-faq).
 ### LAPS native integration
 <!--6399966-->
 Use Windows Local Administrator Password Solution (LAPS) to regularly rotate and manage local administrator account passwords. For more information, see [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview)
 ### Federated sign-in
 <!--7593916, 7593946-->
 You can sign into Windows using a federated identity, which simplifies the experience for students. For example, students and educators can use QR code badges to sign-in. This feature is designed specifically for Education editions of Windows. For more information, see [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in).
 ### Customize Windows 11 taskbar buttons
 <!--07525381-->
 [Policies to customize Windows 11 taskbar buttons](/windows/configuration/supported-csp-taskbar-windows#csp-policies-to-customize-windows-11-taskbar-buttons) were added to provide you with more control over the taskbar search experience across your organization.
 ### Braille displays
 <!--7579823-->
 The compatibility of braille displays was expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros).
 ### Dev Drive
 Dev Drive is a new form of storage volume available to improve performance for key developer workloads. For more information, see [Set up a Dev Drive on Windows 11](/windows/dev-drive/).
 ### Additional features
 <!--kb5019509 items and notable items for IT pros from other updates-->
 - **Tabs for File Explorer**: File Explorer includes tabs to help you organize your File Explorer sessions. 
 - **Taskbar overflow menu**: The taskbar offers an entry point to a menu that shows all of your overflowed apps in one spot.
 - **Suggested actions**: Copied text in certain formats, such as phone numbers or dates, offer suggested actions such as calling the number or adding the event to your calendar.
 - **Task Manager enhancements**: Process filtering, theme settings, and the ability to opt out of efficiency mode notification were added to Task Manager.
 - **Narrator improvements**: Scripting functionality was added to Narrator. Narrator includes more natural voices. <!--8138352, 8138357--> 
 ### In-box apps
 - **Microsoft Teams**: Chat is being removed from the Microsoft Teams in-box app. Teams will no longer be pinned to the taskbar for enterprise editions of Windows 11, version 23H2 or later. To identify the appx package: `Get-AppxPackage -Name MicrosoftTeams` <!--8349096-->
 - **Dev Home**: Dev Home is a new app that provides a central location for developers to start building, testing, and deploying Windows apps. For more information, see [Dev Home](/windows/dev-home/). To identify the appx package: `Get-AppxPackage -Name Microsoft.Windows.DevHome`