Merge branch 'main' into autopatch-unification-ga

2025-05-12 21:37:22 +00:00 · 2024-09-11 11:57:53 -07:00 · 2024-09-11 11:57:53 -07:00 · 714a1ff22a
commit 714a1ff22a
parent f45658a126 45ee83f27f
52 changed files with 315 additions and 319 deletions
--- a/education/windows/edu-take-a-test-kiosk-mode.md
+++ b/education/windows/edu-take-a-test-kiosk-mode.md
@ -1,7 +1,7 @@
 ---
 title: Configure Take a Test in kiosk mode
 description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
-ms.date: 11/08/2023
+ms.date: 09/06/2024
 ms.topic: how-to
 ---
@ -26,7 +26,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local
 Follow the instructions below to configure your devices, selecting the option that best suits your needs.
-# [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+# [:::image type="icon" source="images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
 You can use Intune for Education or a custom profile in Microsoft Intune:
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@ -1,7 +1,7 @@
 ---
 title: Take a Test app technical reference
 description: List of policies and settings applied by the Take a Test app.
-ms.date: 11/02/2023
+ms.date: 09/06/2024
 ms.topic: reference
 ---
@ -15,7 +15,7 @@ Assessment vendors can use Take a Test as a platform to lock down the operating
 ## PC lock-down for assessment
- When the assessment page initiates lock-down, the student's desktop is locked and the app executes above the Windows lock screen. This provides a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test applies local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.  
+ When the assessment page initiates lock-down, the student's desktop is locked and the app executes above the Windows lock screen. This provides a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test applies local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.
 When running above the lock screen:
@ -64,7 +64,7 @@ When Take a Test is running, the following functionality is available to student
    - Assistive technology that might be running
    - Lock screen (not available if student is using a dedicated test account)
-    > [!NOTE] 
+    > [!NOTE]
    > The app will exit if the student signs in to an account from the lock screen.
    > Progress made in the test may be lost or invalidated.
 - The student can exit the test by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>
--- a/windows/application-management/overview-windows-apps.md
+++ b/windows/application-management/overview-windows-apps.md
@ -4,7 +4,7 @@ description: Learn about the different types of apps that run on Windows. For ex
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
-ms.date: 06/28/2024
+ms.date: 09/03/2024
 ms.topic: overview
 ms.service: windows-client
 ms.subservice: itpro-apps
@ -126,9 +126,7 @@ For more information, see:
 When you use the Microsoft Store app, Windows users can download apps from the public store. They can also download apps provided by your organization, which is called the *private store*. If your organization creates its own apps, you can use [Windows Package Manager](/windows/package-manager) to add apps to the private store.
 > [!NOTE]
-> Retirement of the Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
+> The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring). There will be no support for Microsoft Store for Business and Education for Windows 11.
 >
 > For more information, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/bc-p/3771217). This blog post describes the new Microsoft Store experience for both Windows 11 and Windows 10. To learn about other options for getting and managing apps, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
 To help manage the Microsoft Store on your devices, you can use policies:
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@ -4,7 +4,7 @@ description: Use the Company Portal app in Windows 11 devices to access the priv
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
-ms.date: 04/04/2023
+ms.date: 09/03/2023
 ms.topic: conceptual
 ms.service: windows-client
 ms.subservice: itpro-apps
@ -104,4 +104,4 @@ If you use a third party or partner MDM provider, be sure to configure the setti
 ## Windows Package Manager
-If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Intune and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423).
+If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Intune and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423) and [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@ -106,6 +106,7 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com
 To deploy Quick Assist with Intune, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
 <!-- commenting out since Store for Business and Microsoft Store for Education retired May 31, 20203
 ### Install Quick Assist Offline
 To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
@ -113,7 +114,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
 1. Start **Windows PowerShell** with Administrative privileges
 1. In PowerShell, change the directory to the location where you saved the file in step 1: `cd <location of package file>`
 1. To install Quick Assist, run the following command: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
-1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
+1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers` --> 
 ### Microsoft Edge WebView2
@ -139,6 +140,9 @@ If your organization utilizes another remote support tool such as [Remote Help](
 To disable Quick Assist, block traffic to the `https://remoteassistance.support.services.microsoft.com` endpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can't be used to get help or help someone.
 > [!NOTE]
 > Blocking the endpoint will disrupt the functionality of Remote Help, as it relies on this endpoint for operation.
 ### Uninstall Quick Assist
 #### Uninstall via PowerShell
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@ -15,7 +15,6 @@ By using Windows MDM to manage app lifecycles, administrators can deploy and man
 Windows offers the ability for management servers to:
 - Install apps directly from the Microsoft Store for Business
 - Deploy offline Store apps and licenses
 - Deploy line-of-business (LOB) apps (non-Store apps)
 - Inventory all apps for a user (Store and non-Store apps)
@ -28,7 +27,7 @@ Windows offers the ability for management servers to:
 Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business.
+- **Store**: Apps that have been acquired from the Microsoft Store.
 - **nonStore**: Apps that weren't acquired from the Microsoft Store.
 - **System**: Apps that are part of the operating system and can't be uninstalled. This classification is read-only and can only be inventoried.
@ -198,6 +197,9 @@ To deploy an app to a user directly from the Microsoft Store, the management ser
 If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
 > [!NOTE]
 > The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
 Here are the requirements for this scenario:
 - The app is assigned to a user Microsoft Entra identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@ -1,7 +1,7 @@
 ---
 title: EnterpriseModernAppManagement CSP
 description: Learn more about the EnterpriseModernAppManagement CSP.
-ms.date: 04/10/2024
+ms.date: 09/03/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -381,9 +381,11 @@ This is a required node. The following list shows the supported deployment optio
 - ForceUpdateToAnyVersion
 - DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
 - StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
+- LicenseUri="\\server\license.lic". Deploys an offline license. Available in 1607.
 - ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
 - ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
 <!-- Device-AppInstallation-{PackageFamilyName}-HostedInstall-Editable-End -->
 <!-- Device-AppInstallation-{PackageFamilyName}-HostedInstall-DFProperties-Begin -->
@ -821,7 +823,7 @@ This is a required node.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-Begin -->
 <!-- Description-Source-DDF -->
-Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
+Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-End -->
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Editable-Begin -->
@ -904,6 +906,8 @@ Identifier for the entity that requested the license, such as the client who acq
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-End -->
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-DFProperties-Begin -->
@ -992,6 +996,8 @@ This is a required node. Query parameters:
 - Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
  - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
    > [!NOTE]
    > The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
  - nonStore - This classification is for apps that weren't acquired from the Microsoft Store.
  - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
@ -1012,6 +1018,8 @@ This is a required node. Query parameters:
 - Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field.
  If you don't specify this value, then all publishers are returned.
 <!-- Device-AppManagement-AppInventoryQuery-Editable-End -->
 <!-- Device-AppManagement-AppInventoryQuery-DFProperties-Begin -->
@ -5464,7 +5472,7 @@ This is a required node. The following list shows the supported deployment optio
 - ForceUpdateToAnyVersion
 - DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
 - StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
+- LicenseUri="\\server\license.lic". Deploys an offline license. Available in 1607.
 - ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
 - ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
 <!-- User-AppInstallation-{PackageFamilyName}-HostedInstall-Editable-End -->
@ -5903,7 +5911,7 @@ This is a required node.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-Begin -->
 <!-- Description-Source-DDF -->
-Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
+Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-End -->
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Editable-Begin -->
@ -5986,6 +5994,9 @@ Identifier for the entity that requested the license, such as the client who acq
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-End -->
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-DFProperties-Begin -->
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@ -1,7 +1,7 @@
 ---
 title: EnterpriseModernAppManagement DDF file
 description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
-ms.date: 06/28/2024
+ms.date: 09/03/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -2462,7 +2462,7 @@ The following XML file contains the device description framework (DDF) for the E
              <AccessType>
                <Get />
              </AccessType>
-              <Description>Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.</Description>
+              <Description>Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.</Description>
              <DFFormat>
                <chr />
              </DFFormat>
@ -2504,7 +2504,7 @@ The following XML file contains the device description framework (DDF) for the E
              <AccessType>
                <Get />
              </AccessType>
-              <Description>Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.</Description>
+              <Description>Identifier for the entity that requested the license, such as the client who acquired the license. Note that all licenses for a particular enterprise client can have the same RequesterID.</Description>
              <DFFormat>
                <chr />
              </DFFormat>
@ -5286,7 +5286,7 @@ The following XML file contains the device description framework (DDF) for the E
              <AccessType>
                <Get />
              </AccessType>
-              <Description>Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.</Description>
+              <Description>Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.</Description>
              <DFFormat>
                <chr />
              </DFFormat>
@ -5328,7 +5328,7 @@ The following XML file contains the device description framework (DDF) for the E
              <AccessType>
                <Get />
              </AccessType>
-              <Description>Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.</Description>
+              <Description>Identifier for the entity that requested the license, such as the client who acquired the license. Note that licenses issued for a particular enterprise client can have the same RequesterID.</Description>
              <DFFormat>
                <chr />
              </DFFormat>
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -1,7 +1,7 @@
 ---
 title: Browser Policy CSP
 description: Learn more about the Browser Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 09/03/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -1481,7 +1481,7 @@ Sideloading installs and runs unverified extensions in Microsoft Edge. With this
 If enabled or not configured, sideloading of unverified extensions in Microsoft Edge is allowed.
-If disabled, sideloading of unverified extensions in Microsoft Edge isn't allowed. Extensions can be installed only through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled, this policy doesn't prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, in Group Policy Editor, enable Allows development of Windows Store apps and installing them from an integrated development environment (IDE), which is located at:
+If disabled, sideloading of unverified extensions in Microsoft Edge isn't allowed. Extensions can be installed only through Microsoft store, enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled, this policy doesn't prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, in Group Policy Editor, enable Allows development of Windows Store apps and installing them from an integrated development environment (IDE), which is located at:
 Computer Configuration > Administrative Templates > Windows Components > App Package Deployment.
@ -3364,9 +3364,7 @@ You can define a list of extensions in Microsoft Edge that users cannot turn off
 Related Documents:
 - [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
 - [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
 - [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy)
 - [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
 - [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows)
 <!-- PreventTurningOffRequiredExtensions-Editable-End -->
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@ -37,6 +37,10 @@ This policy setting decides if hibernate on the machine is allowed or not. Suppo
 <!-- AllowHibernate-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This policy does not override **powercfg** configuration and has no effect on the device if Hibernate is disabled using either of the following methods:
 > - Running the command `powercfg /hibernate off`.
 > - Modifying the **HibernateEnabled** value to **0** in the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power` registry key.
 <!-- AllowHibernate-Editable-End -->
 <!-- AllowHibernate-DFProperties-Begin -->
--- a/windows/configuration/assigned-access/shell-launcher/index.md
+++ b/windows/configuration/assigned-access/shell-launcher/index.md
@ -127,5 +127,4 @@ Depending on your configuration, you can have a user to automatically sign in to
 <!--links-->
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
 [MEM-2]: /mem/intune/fundamentals/licenses#device-only-licenses
 [WIN-3]: /windows/client-management/mdm/assignedaccess-csp
--- a/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md
@ -1,7 +1,7 @@
 ---
 title: Configure a shared or guest Windows device
 description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.date: 11/08/2023
+ms.date: 09/06/2024
 ms.topic: how-to
 ---
@ -25,9 +25,7 @@ Shared PC can be configured using the following methods:
 Follow the instructions below to configure your devices, selecting the option that best suits your needs.
-#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune)
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
 To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Shared PC`**:
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@ -34,7 +34,7 @@ For each app that you add to the package, configure the settings in the followin
 | Setting | Value | Description |
 |--|--|--|
 | ApplicationFile | `.appx` or `.appxbundle` | Set the value to the app file that you want to install on the device. Also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
-| DependencyAppxFiles | Any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
+| DependencyAppxFiles | Any required frameworks | Typically, dependencies for the app are listed undere **Required frameworks**. |
 | DeploymentOptions | - None</br>-Force application shutdown: If this package, or any package that depends on this package is currently in use, then the processes associated with the package are forcibly shut down. The registration can continue. </br>- Development mode: Don't use. </br>- Install all resources: When you set this option, the app is instructed to skip resource applicability checks.</br>- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
 | LaunchAppAtLogin | - Don't launch app</br>- Launch app | Set the value for app behavior when a user signs in. |
 | OptionalPackageFiles | Additional files required by the package | Browse to, select, and add the optional package files. |
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@ -9,7 +9,7 @@ ms.service: windows-client
 ms.subservice: activation
 ms.localizationpriority: medium
 ms.topic: how-to
-ms.date: 03/04/2024
+ms.date: 9/03/2024
 zone_pivot_groups: windows-versions-11-10
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -491,9 +491,12 @@ When a device has been offline for an extended period of time, the Subscription
 - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
 - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
     > [!NOTE]
     > The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
 Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
 For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
 <!-- 8605089 -->
--- a/windows/deployment/do/delivery-optimization-configure.md
+++ b/windows/deployment/do/delivery-optimization-configure.md
@ -69,7 +69,7 @@ Delivery Optimization requires the use of certain ports to deliver content. Make
 | Port    | Protocol | Function          |
 |---------|-------------------|----------|
 | 7680    | TCP/IP | Listen for P2P using TCP/IP |
-| 3544    | TCP/IP | Use Teredo to discover and connect to peers across NATs |
+| 3544    | UDP | Use Teredo to discover and connect to peers across NATs. For more information, see the [Teredo documentation](/windows/win32/teredo/required-firewall-exceptions-for-teredo). |
 | 443     | HTTPS / TLS 1.2 | Use to communicate Delivery Optimization client and service |
 ## 2. Evaluate Delivery Optimization policies
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@ -17,7 +17,7 @@ metadata:
    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
    - ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
    - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
-  ms.date: 08/06/2024
+  ms.date: 09/10/2024
 title: Frequently Asked Questions about Delivery Optimization
 summary: |
  This article answers frequently asked questions about Delivery Optimization.
@ -103,8 +103,6 @@ sections:
          - `*.dl.delivery.mp.microsoft.com`
          **For the payloads (optional)**:
          - `*.windowsupdate.com`
          **For group peers across multiple NATs (Teredo)**:
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@ -48,8 +48,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. |
 | [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. |
 | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. |
-| [VPN keywords](#vpn-keywords) | DOVpnKeywords | 22H2 September Moment | Allows you to set one or more keywords used to recognize VPN connections. |
+| [VPN keywords](#vpn-keywords) | DOVpnKeywords | Windows 11, version 22H2 with the September 2023 or later update installed | Allows you to set one or more keywords used to recognize VPN connections. |
-| [Disallow cache server downloads from VPN](#disallow-cache-server-downloads-on-vpn) | DODisallowCacheServerDownloadsOnVPN | 22H2 September Moment | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. |
+| [Disallow cache server downloads from VPN](#disallow-cache-server-downloads-on-vpn) | DODisallowCacheServerDownloadsOnVPN | Windows 11, version 22H2 with the September 2023 or later update installed | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. |
 | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery.  |
 | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@ -52,7 +52,6 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Windows 11 Win32 Store apps | Windows 11 | :heavy_check_mark: | |
 | Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
 | Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
--- a/windows/deployment/images/win-10-adk-select.png
+++ b/windows/deployment/images/win-10-adk-select.png
--- a/windows/deployment/images/windows-icd.png
+++ b/windows/deployment/images/windows-icd.png
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 04/29/2024
+ms.date: 09/03/2024
 ---
 # Manage additional Windows Update settings
@ -103,9 +103,9 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
 ### Do not connect to any Windows Update Internet locations
-Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update, the Microsoft Store, or the Microsoft Store for Business.
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
-Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Microsoft Store for Business, Windows Update for Business, and Delivery Optimization to stop working.
+Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business, and Delivery Optimization to stop working.
 >[!NOTE]
 >This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@ -12,7 +12,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 04/12/2023
+ms.date: 09/03/2024
 ---
 # Delivery Optimization data in Windows Update for Business reports
@ -154,7 +154,7 @@ There are many Microsoft [content types](waas-delivery-optimization.md#types-of-
 | Content Category | Content Types Included |
 | --- | --- |
-| Apps | Windows 10 Store apps,  Windows 10 Store for Business apps, Windows 11 UWP Store apps |
+| Apps | Windows 10 Store apps, Windows 11 UWP Store apps |
 | Driver Updates | Windows Update [Driver updates](get-started-updates-channels-tools.md#types-of-updates) |
 | Feature Updates | Windows Update [Feature updates](get-started-updates-channels-tools.md#types-of-updates) |
 | Office | Microsoft 365 Apps and updates |
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@ -1,70 +1,70 @@
 ---
-title: Windows Upgrade and Migration Considerations (Windows 10)
+title: Windows Upgrade and Migration Considerations
-description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration.
+description: Discover the Microsoft tools that can be used to move files and settings between installations including special considerations for performing an upgrade or migration.
 manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 08/09/2023
+ms.date: 08/30/2024
 ---
 # Windows upgrade and migration considerations
-Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
+
 Files and application settings can be migrated to new hardware running the Windows operating system, or they can be maintained during an operating system upgrade on the same computer. This article summarizes the Microsoft tools that can be used to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
 ## Upgrade from a previous version of Windows
-You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings won't be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
+
 Earlier versions of Windows can be upgraded to later versions. As part of the upgrade experience, the newer version of Windows can be installed while retaining applications, files, and settings as they were in the previous version of Windows. If a custom installation of Windows is performed instead of an upgrade, applications and settings aren't maintained. Personal files and all Windows files and directories are moved to a **Windows.old** folder. The data can be accessed in the **Windows.old** folder after Windows Setup is complete.
 ## Migrate files and settings
 Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
-For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](/previous-versions/windows/server/cc722055(v=ws.10)).
+The [User State Migration Tool (USMT)](../usmt/usmt-overview.md) is available to transfer settings:
-The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a few computers or for individually customized deployments, you can use Windows Easy Transfer.
+- Between two computers running Windows, also known as a *side-by-side* migration.
 - On a single computer upgrading the version of Windows when not using an in-place upgrade, also known as a *wipe-and-load* or *refresh* migration.
-### Migrate with Windows Easy Transfer
+USMT only transfers the program settings, not the programs themselves. USMT is an application intended for administrators who are performing large-scale automated deployments, but it can also be used in smaller migrations.
 Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
 With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you can't use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
 > [!NOTE]
 >
 > Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
 ### Migrate with the User State Migration Tool
-You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they're migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
+
 USMT can be used to automate migration during large deployments of the Windows operating system. USMT uses XML files that define migration rules. The migration rules can be configured to control exactly what USMT migrates and how it migrates the items. For example, USMT can migrate:
 - User accounts, including which specific accounts to migrate.
 - User files, including which specific files to migrate.
 - Operating system settings, including which specific operating system settings to migrate.
 - Settings for some applications, including which specific application settings to migrate.
 USMT can be used for the following scenarios:
 - **Side-by-side** - migration where one device is replaced with a different device.
 - **Wipe-and-load**/**refresh** - migration where Windows is upgraded on a single device.
 > [!IMPORTANT]
 >
 > USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Microsoft Entra joined devices.
 ## Upgrade and migration considerations
-Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
+
 When upgrading or migrating to a new version of Windows, be aware of the following issues and considerations:
 ### Application compatibility
-For more information about application compatibility in Windows, see [Windows compatibility cookbook](/windows/compatibility/).
+
 For more information about application compatibility in Windows, see [Compatibility for Windows 11](/windows/compatibility/windows-11/).
 ### Multilingual Windows image upgrades
 When performing multilingual Windows upgrades, cross-language upgrades aren't supported by USMT. If you're upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
-If you're using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you'll have to reinstall them after the upgrade is completed.
+USMT doesn't support cross-language upgrades when performing multilingual Windows upgrades. If upgrading or migrating an operating system with multiple language packs installed, only the system default user interface (UI) language can be upgraded or migrated to. For example, if English is the default but a Spanish language pack is installed, only English can be upgraded or migrated to.
 If a single-language Windows image that matches the system default UI language of a multilingual operating system is being used for a *wipe-and-load*/*refresh* migration, the migration works. However, all of the language packs are removed. The language packs will need to be reinstalled after the upgrade is completed.
 ### Errorhandler.cmd
 When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy Errorhandler.cmd into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
-### Data drive ACL migration
+If using **Errorhandler.cmd** when upgrading from an earlier version of Windows, copy **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows. Copying **Errorhandler.cmd** into the `%WINDIR%\Setup\Scripts` directory on the original installation of Windows makes sure that if there are errors during the down-level phase of Windows Setup, the commands in **Errorhandler.cmd** run. For more information, see [Run a script if Windows Setup encounters a fatal error (ErrorHandler.cmd)](/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup#run-a-script-if-windowssetup-encounters-a-fatal-error-errorhandlercmd).
 During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that don't appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
-Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
+## Related content
-`Key: HKLM\System\Setup`
+- [User State Migration Tool (USMT) overview](../usmt/usmt-overview.md).
-`Type: REG_DWORD`
+- [Windows upgrade paths](windows-upgrade-paths.md).
-`Value: "DDACLSys_Disabled" = 1`
+- [Windows edition upgrade](windows-edition-upgrades.md).
 This feature is disabled if this registry key value exists and is configured to `1`.
 ## Related articles
 [User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)<BR>
 [Windows 10 upgrade paths](windows-10-upgrade-paths.md)<BR>
 [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@ -8,7 +8,7 @@ ms.service: windows-client
 author: frankroj
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 08/30/2024
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -65,17 +65,17 @@ This article outlines the general process to follow to migrate files and setting
     >
     > USMT fails if it can't migrate a file or setting unless the `/c` option is specified. When the `/c` option is specified, USMT ignores the errors, and logs an error every time that it encounters a file that is being used that USMT didn't migrate. The `<ErrorControl>` section in the `Config.xml` file can be used to specify which errors should be ignored, and which should cause the migration to fail.
-1. Run the `ScanState.exe` command on the source computer to collect files and settings. All of the **.xml** files that the `ScanState.exe` command needs to use should be specified. For example,
+1. To collect files and settings, run the `ScanState.exe` command on the source computer. All of the **.xml** files that the `ScanState.exe` command needs to use should be specified. For example,
     ```cmd
-        ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
+     ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
     ```
     > [!NOTE]
     >
     > The `ScanState.exe` command must be run in **Administrator** mode on the source computer. To run in **Administrator** mode, right-click **Command Prompt**, and then select **Run As Administrator**. For more information about how the `ScanState.exe` command processes and stores the data, see [How USMT Works](usmt-how-it-works.md).
-1. Run the `UsmtUtils.exe` command with the `/Verify` option to ensure that the created store isn't corrupted.
+1. To ensure that the created store isn't corrupted, run the `UsmtUtils.exe` command with the `/Verify` option.
 ## Step 3: Prepare the destination computer and restore files and settings
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 08/30/2024
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -28,13 +28,13 @@ A test computer that contains the operating system of the source computers shoul
 ## Step 1: Verify that the application is installed on the source computer, and that it's the same version as the version to be installed on the destination computer
-Before USMT migrates the settings, check whether the application is installed on the source computer, and that it's the correct version. If the application isn't installed on the source computer, USMT still spends time searching for the application's settings. More importantly, if USMT collects settings for an application that isn't installed, it could migrate settings that cause the destination computer to function incorrectly. Also determine whether there's more than one version of the application because the new version could store the settings in a different location.  Mismatched application versions could lead to unexpected results on the destination computer.
+Before USMT migrates the settings, check whether the application is installed on the source computer, and that it's the correct version. If the application isn't installed on the source computer, USMT still spends time searching for the application's settings. More importantly, if USMT collects settings for an application that isn't installed, it could migrate settings that cause the destination computer to function incorrectly. Also determine whether there's more than one version of the application because the new version could store the settings in a different location. Mismatched application versions could lead to unexpected results on the destination computer.
-There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It's important to check for both of these items, because sometimes different versions of the same application share the same uninstall key. Even if the key is there, it could correspond to a different version of the application that is wanted.
+There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry. The computer can then be searched for the executable file that installed the application. It's important to check for both of these items, because sometimes different versions of the same application share the same uninstall key. Even if the key is there, it could correspond to a different version of the application that is wanted.
 ### Check the registry for an application uninstall key
-When many applications are installed (especially those installed using the Microsoft Windows Installer technology), an application uninstall key is created under:
+When many applications are installed, especially those installed using the Microsoft Windows Installer technology, an application uninstall key is created under:
 `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`
@ -44,11 +44,17 @@ For example, when Adobe Acrobat Reader 7 is installed, it creates a key named:
 Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. The existence of a registry key can be checked using the `DoesObjectExist` helper function.
-Usually, this key can be found by searching under:
+The **Uninstall** registry key for a particular application can be found under the following registry key:
 `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`
-for the name of the application, the name of the application executable file, or for the name of the company that makes the application. The Registry Editor, `Regedit.exe` located in the `%SystemRoot%`, can be used to search the registry.
+To find the **Uninstall** key for a specific application, search for one of the following items under the **Uninstall** registry key:
 - Name of the application.
 - Name of the application executable file.
 - Name of the company that makes the application.
 To search the registry, use the Registry Editor `Regedit.exe`. `Regedit.exe` is located in the path stored in `%SystemRoot%`, normally `C:\Windows`.
 ### Check the file system for the application executable file
@ -76,7 +82,7 @@ Next, go through the user interface and make a list of all of the available sett
     >
     > Most applications store their settings under the user profile. That is, the settings stored in the file system are under the `%UserProfile%` directory, and the settings stored in the registry are under the `HKEY_CURRENT_USER` hive. For these applications, the output of the file and registry monitoring tools can be filtered to show activity only under these locations. This filtering considerably reduces the amount of output that needs to be examined.
-1. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when the setting was changed. Make sure the changes made actually take effect. For example, if changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically doesn't take effect until the dialog box is closed by selecting **OK**.
+1. Start the monitoring tools, change a setting, and look for registry and file system writes that occurred when the setting was changed. Make sure the changes made actually take effect. For example, if changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically doesn't take effect until the dialog box is closed by selecting **OK**.
 1. When the setting is changed, note the changes to the file system and registry. There could be more than one file or registry values for each setting. The minimal set of file and registry changes that are required to change this setting should be identified. This set of files and registry keys is what needs to be migrated in order to migrate the setting.
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@ -1,300 +1,272 @@
 ---
-title: Windows 10 deployment scenarios and tools
+title: Windows deployment scenarios and tools
-description: Learn about the tools you can use to deploy Windows 10 and related applications to your organization. Explore deployment scenarios.
+description: Learn about the tools that can be used to deploy Windows and related applications to your organization. Explore deployment scenarios.
 manager: aaroncz
 ms.author: frankroj
 author: frankroj
 ms.service: windows-client
 ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 08/30/2024
 ms.subservice: itpro-deploy
 ---
-# Windows 10 deployment scenarios and tools
+# Windows deployment scenarios and tools
-To successfully deploy the Windows 10 operating system and applications for your organization, understand the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment.
+To successfully deploy the Windows operating system and applications for your organization, it's important to understand the available tools to help with the process. This article covers the most commonly used tools for Windows 10 deployment.
 Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). These tools aren't a complete solution on their own. Combine these tools with solutions like [Configuration Manager](/mem/configmgr) to get a complete deployment solution.
-In this article, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
+This article also covers the different types of reference images that can be built, and why reference images are beneficial for most organizations.
 ## Windows Assessment and Deployment Kit
-Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more information, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+The Windows Assessment and Deployment Kit (Windows ADK) contains core assessment and deployment tools and technologies, including:
-![The Windows 10 ADK feature selection page.](images/win-10-adk-select.png)
+- [Deployment Image Servicing and Management (DISM)](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
 - [Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference).
 - [User State Migration Tool (USMT)](/windows/deployment/usmt/usmt-overview).
 - [Volume Activation Management Tool (VAMT)](/windows/deployment/volume-activation/volume-activation-management-tool).
 - [Windows Preinstallation Environment (Windows PE)](/windows-hardware/manufacture/desktop/winpe-intro).
 - [Windows Assessment Toolkit](/windows-hardware/test/assessments/).
 - [Windows Performance Toolkit (WPT)](/windows-hardware/test/wpt/).
-The Windows 10 ADK feature selection page.
+For more information, see the following articles:
 - [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
 - [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 - [Kits and tools overview](/windows-hardware/get-started/kits-and-tools-overview).
 ### Deployment Image Servicing and Management (DISM)
-DISM is one of the deployment tools included in the Windows ADK and is used for capturing, servicing, and deploying boot images and operating system images.
+DISM is one of the deployment tools included in the Windows ADK. It's used for capturing, servicing, and deploying both boot images and operating system images.
-DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
+DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework while Windows is online, which means that you can start the installation in the running operating system. The `/LimitAccess` switch configures DISM to get the files only from a local source. For example:
 ```cmd
 Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
 ```
-In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
+Windows PowerShell can be used in Windows for many of the functions done by **DISM.exe**. The equivalent command in Windows using PowerShell is:
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
 -Source D:\Sources\SxS -LimitAccess
 ```
 ![Using DISM functions in PowerShell.](images/mdt-11-fig05.png)
 Using DISM functions in PowerShell.
 For more information on DISM, see [DISM technical reference](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
 ### User State Migration Tool (USMT)
-USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and Configuration Manager use USMT as part of the operating system deployment process.
+USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Configuration Manager uses USMT as part of the operating system deployment process.
-USMT includes several command-line tools, the most important of which are ScanState and LoadState:
+USMT includes several command-line tools, the most important of which are **ScanState** and **LoadState**:
 - **ScanState.exe**: This tool performs the user-state backup.
 - **LoadState.exe**: This tool performs the user-state restore.
- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe.
+- **UsmtUtils.exe**: This tool supplements the functionality in **ScanState.exe** and **LoadState.exe**.
 In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
 - **Migration templates**: The default templates in USMT.
 - **Custom templates**: Custom templates that you create.
- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+- **Config template**: An optional template called **Config.xml** which you can use to exclude or include components in a migration without modifying the other standard XML templates.
-![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png)
+USMT supports capturing and restoring both data and settings from currently supported versions of Windows. It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 10 x86 to Windows 11 x64.
-A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
+By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows deployments are **MigUser.xml** and **MigApp.xml**. These two default templates migrate the following data and settings:
-USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
+- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the following folders:
-By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
+  - Documents.
-
+  - Video.
- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
+  - Music.
  - Pictures.
  - Desktop.
 - The following specific file types:
    `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
  > [!NOTE]
  >
  > - The asterisk (`*`) stands for zero or more characters.
  >
  > - The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) used by Microsoft Office applications aren't migrated by default.
-    > [!NOTE]
+- Operating system component settings.
    > The asterisk (`*`) stands for zero or more characters.
-    > [!NOTE]
+- Application settings.
    > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
- Operating system component settings
+These settings are migrated by the default **MigUser.xml** and **MigApp.xml** templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [User State Migration Tool (USMT) overview](./usmt/usmt-overview.md).
- Application settings
+### Windows Configuration Designer
-These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md).
+Windows Configuration Designer is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device. This tool is useful for setting up new devices without the need for reimaging the device with a custom image.
-### Windows Imaging and Configuration Designer
+For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
 Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for reimaging the device with a custom image.
 ![Windows Imaging and Configuration Designer.](images/windows-icd.png)
 Windows Imaging and Configuration Designer.
 For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
 ### Windows System Image Manager (Windows SIM)
-Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don't need Windows SIM often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
+Windows System Image Manager (Windows SIM) is an authoring tool for **Unattend.xml** files. Windows SIM isn't normally needed when using Microsoft Configuration Manager. Microsoft Configuration Manager automatically creates and updates the **Unattend.xml** file based on settings specified in the task sequence, primarily at the **Apply Windows Settings** task. The automation in Microsoft Configuration Manager greatly simplifies the overall process.
-![Windows answer file opened in Windows SIM.](images/mdt-11-fig07.png)
+For more information, see [Windows System Image Manager Technical Reference](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference).
 Windows answer file opened in Windows SIM.
 For more information, see [Windows System Image Manager Technical Reference]( https://go.microsoft.com/fwlink/p/?LinkId=619906).
 ### Volume Activation Management Tool (VAMT)
-If you don't use KMS, manage your MAKs centrally with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without internet access, acting as a MAK proxy.
+If not using [Key Management Services (KMS)](/windows-server/get-started/kms-client-activation-keys), Multiple Activation Keys (MAKs) can be centrally managed with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without internet access, acting as a MAK proxy.
-![The updated Volume Activation Management Tool.](images/mdt-11-fig08.png)
+VAMT can also be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office volume activation. VAMT also supports PowerShell. For example, to get information from the VAMT database, enter:
 The updated Volume Activation Management Tool.
 VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
 ```powershell
 Get-VamtProduct
 ```
-For more information on the VAMT, see [VAMT technical reference](./volume-activation/volume-activation-management-tool.md).
+For more information on the VAMT, see the following articles:
 - [Volume Activation Management Tool (VAMT)](/windows/deployment/volume-activation/volume-activation-management-tool).
 - [VAMT technical reference](./volume-activation/volume-activation-management-tool.md).
 ### Windows Preinstallation Environment (Windows PE)
-Windows PE is a "Lite" version of Windows 10 and was created to act as a deployment platform. Windows PE replaces the DOS or Linux boot disks that ruled the deployment solutions of the last decade.
+Windows PE is a "lite" version of Windows used as a deployment platform.
-The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
+Windows PE is like any other operating system and it needs drivers. However, it doesn't need a full set of drivers. It only needs a minimalist set of drivers necessary to deploy Windows. Normally only network and storage drivers are needed. Windows PE already includes a set of drivers out of the box so most devices work without the need to add any additional drivers.
 ![A machine booted with the Windows ADK default Windows PE boot image.](images/mdt-11-fig09.png)
 A machine booted with the Windows ADK default Windows PE boot image.
 For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro).
 ## Windows Recovery Environment
-Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE.
+Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in currently supported versions of Windows. Windows RE is based on Windows PE. If needed, Windows RE can also be extended with custom tools. If a Windows fails to start and Windows RE is installed, an automatic failover into Windows RE occurs.
 ![A Windows 10 client booted into Windows RE, showing Advanced options.](images/mdt-11-fig10.png)
 A Windows 10 client booted into Windows RE, showing Advanced options.
 For more information on Windows RE, see [Windows Recovery Environment](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference).
 ## Windows Deployment Services
-Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you'll use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
+The main functions of Windows Deployment Services (WDS) are:
-![Windows Deployment Services using multicast to deploy three machines.](images/mdt-11-fig11.png)
+- PXE boot support.
 - Multicast.
 - BitLocker Network Unlock.
-Windows Deployment Services using multicast to deploy three machines.
+The following considerations should be observed when using WDS for operating system deployment:
-In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. The Active Directory integration mode is the best option, in most scenarios. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you'll use them instead. In WDS, it's possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
+- WDS can be configured for stand-alone mode or for Active Directory integration. Active Directory integration mode is recommended in most scenarios.
-### Trivial File Transfer Protocol (TFTP) configuration
+- WDS has the capability to manage drivers. However, driver management through Microsoft Configuration Manager is more suitable for deployment due to its flexibility.
-In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—wasn't user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting.
+- WDS can pre-stage unknown devices as a known computer in Active Directory. However, Microsoft Configuration Manager also has the capability of staging unknown devices as known devices in it's database. In most scenarios, Microsoft Configuration Manager is a better solution for pre-staging devices since it allows greater control and management.
-Also, there are a few new features related to TFTP performance:
+- Trivial File Transfer Protocol (TFTP) block size and windows size settings can be configured with WDS to increase performance and download speeds during PXE booting. However, although an increase in TFTP settings can increase performance and download speeds, it can also decrease reliability and cause failures, including a reduction of download speeds. There are many variables involved when determining TFTP settings, including networking equipment, network configuration, and device compatibility.
- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
+    For stand-alone WDS, TFTP settings can be configured in the WDS console under the **TFTP** tab in the properties of the WDS server. For Microsoft Configuration manager, see [Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points](/mem/configmgr/osd/get-started/prepare-site-system-roles-for-operating-system-deployments#customize-the-ramdisk-tftp-block-and-window-sizes-on-pxe-enabled-distribution-points).
 - **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability.
 - **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size.
 ![TFTP changes are now easy to perform.](images/mdt-11-fig12.png)
 TFTP changes are now easy to perform.
 ## Microsoft Deployment Toolkit
 MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
 MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager.
 **Note**
 Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
 ![The Deployment Workbench in, showing a task sequence.](images/mdt-11-fig13.png)
 The Deployment Workbench in, showing a task sequence.
 For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) resource center.
 ## Microsoft Security Compliance Manager 2013
 [Microsoft SCM](https://www.microsoft.com/download/details.aspx?id=53353) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
 ![The SCM console showing a baseline configuration for a fictional client's computer security compliance.](images/mdt-11-fig14.png)
 The SCM console showing a baseline configuration for a fictional client's computer security compliance.
 ## Microsoft Desktop Optimization Pack
 MDOP is a suite of technologies available to Software Assurance customers through another subscription.
 The following components are included in the MDOP suite:
 - **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
 - **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
 - **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
 - **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
 - **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies.
 For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/).
 <!--
 REMOVING SECTION SINCE INTERNET EXPLORER IS NO LONGER SUPPORTED
 ## Internet Explorer Administration Kit 11
 There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
 ![The User Experience selection screen in IEAK 11.](images/mdt-11-fig15.png)
 The User Experience selection screen in IEAK 11.
 To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](/internet-explorer/ie11-ieak/ieak-information-and-downloads) page.
 -->
 ## Windows Server Update Services
-WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
+WSUS is a server role in Windows Server that enables a local repository of Microsoft updates. The Microsoft Update can then be distributed from the WSUS server to devices in the organization's environment without having to go out to the public Microsoft Update site. WSUS offers approval control and reporting of update status in the environment.
-![The Windows Server Update Services console.](images/mdt-11-fig16.png)
+For more information on WSUS, see the [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
 The Windows Server Update Services console.
 For more information on WSUS, see the [Windows Server Update Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)).
 ## Unified Extensible Firmware Interface
-For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
+Unified Extensible Firmware Interface (**UEFI**) is used to initialize and boot a device. It's the successor for BIOS, the method used for many years to initialize and boot a device.
 This section will go over the advantages of UEFI over BIOS, how the two differ, and now it affects operating system deployment.
 ### Introduction to UEFI
-BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
+Although BIOS was used successfully on devices for many years, it has some limitations. For example:
 - 16-bit code
 - 1-MB address space
 - Poor performance on ROM initialization
 - MBR maximum bootable disk size of 2.2 TB
-As the replacement to BIOS, UEFI has many features that Windows can and will use.
+As the replacement to BIOS, UEFI has many features BIOS doesn't have. Windows can take advantage of many of these UEFI features. UEFI has the following features not available in BIOS:
-With UEFI, you can benefit from:
+- **Support for large disks** - UEFI requires a GUID Partition Table (GPT) based disk. GPT can support disks up to approximately 16.8 million TB in disk size. GPT also supports more than 100 primary disks.
- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
+- **Faster boot time** - UEFI replaces BIOS interrupt call INT 13h, improving boot time, especially when resuming from hibernate.
 - **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
 - **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
 - **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
 - **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
 - **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
 - **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
 - **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
-### UEFI versions
+- **Multicast deployment** - UEFI firmware can use multicast directly when it boots up. With solutions such as WDS and Microsoft Configuration Manager, multicast support is only available by first booting into Windows PE. With UEFI, multicast can run directly from UEFI.
-UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
+- **Compatibility with earlier BIOS** - Older devices with UEFI had a UEFI implementation that included a compatibility support module (CSM) that emulates BIOS. However, due to the current wide support of UEFI, modern devices generally don't have a CSM and therefore aren't backward compatible with BIOS. For example, Windows 11 and newer doesn't support BIOS so therefore only runs on modern devices that have UEFI.
 - **CPU-independent architecture** - BIOS can run both 32-bit and 64-bit versions of firmware. However, all firmware device drivers on BIOS systems must be 16-bit. This limitation affects performance and only 64 KB of memory can be addressed. UEFI removes these limitations.
 - **CPU-independent drivers** - On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. This limitation isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images. EBC images allow for a processor-independent device driver environment.
 - **Flexible pre-operating system environment** - UEFI supports UEFI application that can run before the OS is loaded. UEFI applications allow many additional features such as diagnostics, automatic repairs, and the ability to call home to report errors.
 - **Secure boot** - Currently supported versions of Windows use the UEFI firmware validation process, called [secure boot](/windows-hardware/design/device-experiences/oem-secure-boot). When secure boot is used, UEFI ensures that it launches only a verified operating system loader and that malware can't switch the boot loader.
 ### Hardware support for UEFI
 In regard to UEFI, hardware is divided into four device classes:
- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
+- **Class 0 devices.** Devices in this class are BIOS, or non-UEFI, devices.
- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+
- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+- **Class 1 devices.** Devices in this class behave like a standard BIOS device, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS.
- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
+
 - **Class 2 devices.** Devices in this class have the capability to behave as either a BIOS device or as a UEFI device. The boot process or the configuration in the firmware of the device determines the mode. Class 2 devices use a CSM to emulate BIOS.
 - **Class 3 devices.** The devices in this class are UEFI-only devices. They don't have backwards compatibility with BIOS. Devices in this class must run an operating system that supports UEFI. All currently supported versions of Windows support UEFI. Class 3 devices don't have a CSM to emulate BIOS.
 In general, all modern devices are Class 3 devices. Class 0, Class 1, and Class 2 devices are older devices and are no longer manufactured.
 ### Windows support for UEFI
-Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
+- Windows 10 supports both x86 and x64 versions of UEFI.
-With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI doesn't support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
+- Windows 11 and newer only supports x64 versions of UEFI.
-### How UEFI is changing operating system deployment
+- UEFI doesn't support cross-platform boot.
  - UEFI x64 devices can only run a 64-bit operating system. Most modern UEFI devices are x64.
  - UEFI x86 devices can run only a 32-bit operating system. For Windows, only Windows 10 x86 supports UEFI x86. Windows 11 and newer doesn't support UEFI x86. Lack of UEFI x86 support in Windows 11 generally isn't an issue since UEFI x86 devices are rare.
 ### UEFI considerations for operating system deployment
 There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
+- Class 2 devices can switch between BIOS and UEFI via the device's firmware. Make sure the desired mode for the device is selected in the device's firmware. Microsoft recommends using Class 2 devices in UEFI mode due to the added benefits and security that UEFI provides.
- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
+
- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
+    When a Class 2 device is switched from BIOS to UEFI, one of the following two actions needs to take place:
- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
+
  - The disk needs to be converted from MBR to GPT and then partitioned accordingly to support UEFI. This conversion can be done via a tool such as [diskpart](/windows-server/administration/windows-commands/diskpart). For example, while Windows running on BIOS only requires one partition that can be either FAT32 or NTFS, Windows running on a UEFI device requires the following partitions:
    - FAT32 boot/system partition.
    - NTFS OS partition.
    - Microsoft reserved partition (MSR) partition (unique to Windows).
    - Recovery partition (optional).
    Because the existing disk is wiped as part of this process, the following actions need to take place:
    - Windows need to be reinstalled.
    - Applications need to be reinstalled.
    - Data and settings need to be backed up and restored.
    For more information, see [UEFI/GPT-based hard drive partitions](/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions).
  - The [MBR2GPT.EXE](mbr-to-gpt.md) tool can be used to convert the disk from MBR to GPT for use with UEFI in a non-destructive way. **MBR2GPT.EXE** also reconfigures the partitioning on the disk with the correct partitioning for Windows to run on UEFI. The benefit of using the **MBR2GPT.EXE** is that it converts the disk and repartitions it without wiping the disk and without data loss. Since the disk isn't wiped and there's no data loss, the following actions don't need to be performed:
    - Windows doesn't need to be reinstalled.
    - Applications don't need to be reinstalled.
    - Data and settings don't need to be backed up and restored.
 - When you deploy a Class 2 device, make sure the boot option is set to the proper boot device (hard drive, flash drive, PXE, etc.) The boot options available on Class 2 devices might differ between BIOS and UEFI modes.
 - When a UEFI device boots from media, the media has to be FAT32. UEFI only supports booting from FAT32 partitions, which is why the boot/system partition on the disk is FAT32. Additionally, FAT32 has a file-size limitation of 4 GB. OS images larger than 4 GB need to be split with a tool such as [DISM](/windows-hardware/manufacture/desktop/what-is-dism). For more information, see [Split-WindowsImage](/powershell/module/dism/split-windowsimage) or [/Split-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#split-image).
 - UEFI doesn't support cross architecture booting. x64 devices require x64 boot media and x86 devices require x86 boot media.
 - Most modern UEFI devices are x64. UEFI x86 devices are rare.
 For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources.
-## Related articles
+## Related content
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)<br>
+- [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
-[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
+- [MBR2GPT.EXE](mbr-to-gpt.md).
 - [UEFI/GPT-based hard drive partitions](/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions).
 - [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)).
--- a/windows/deployment/windows-subscription-activation.md
+++ b/windows/deployment/windows-subscription-activation.md
@ -10,7 +10,7 @@ manager: cshepard
 ms.reviewer: nganguly
 ms.topic: concept-article
 zone_pivot_groups: windows-versions-11-10
-ms.date: 03/04/2024
+ms.date: 09/03/2024
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -53,6 +53,9 @@ Organizations that use the Subscription Activation feature to enable users to "s
 - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
     > [!NOTE]
     > The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
 Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
 For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@ -170,4 +170,4 @@ additionalContent:
            - text: Windows office hours
              url: https://aka.ms/Windows/OfficeHours
            - text: Microsoft support community
-              url: https://answers.microsoft.com/windowsclient/forum
+              url: https://answers.microsoft.com/
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@ -1,9 +1,9 @@
 ---
-ms.date: 11/07/2023
+ms.date: 09/06/2024
 title: Access Control overview
 description: Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
 ms.topic: overview
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@ -1,9 +1,9 @@
 ---
-ms.date: 11/07/2023
+ms.date: 09/06/2024
 title: Local Accounts
 description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
 ms.topic: concept-article
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
@ -37,7 +37,7 @@ The default Administrator account can't be deleted or locked out, but it can be
 Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.
-Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.  
+Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
 #### Account group membership
@ -219,7 +219,7 @@ The following table shows the Group Policy and registry settings that are used t
 ||Registry value data|0|
 > [!NOTE]
-> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
+> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
 #### To enforce local account restrictions for remote access
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@ -4,7 +4,7 @@ description: Learn about passkeys and how to use them on Windows devices.
 ms.collection:
 - tier1
 ms.topic: overview
-ms.date: 11/07/2023
+ms.date: 09/06/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@ -2,7 +2,7 @@
 title: Deploy Virtual Smart Cards
 description: Learn about what to consider when deploying a virtual smart card authentication solution
 ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Deploy Virtual Smart Cards
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@ -2,7 +2,7 @@
 title: Evaluate Virtual Smart Card Security
 description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
 ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Evaluate Virtual Smart Card Security
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@ -1,8 +1,8 @@
 ---
-title: Get Started with Virtual Smart Cards - Walkthrough Guide 
+title: Get Started with Virtual Smart Cards - Walkthrough Guide
 description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
 ms.topic: get-started
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Get Started with Virtual Smart Cards: Walkthrough Guide
@ -79,10 +79,11 @@ In this step, you create the virtual smart card on the client computer by using
  `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
-  This creates a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN is set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
+  This creates a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN is set to the default, 12345678.
  For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
-1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe provides you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you need it to manage or remove the virtual smart card.
+1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe provides you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you need it to manage or remove the virtual smart card. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
 For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
 ## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@ -2,7 +2,7 @@
 title: Virtual Smart Card Overview
 description: Learn about virtual smart card technology for Windows.
 ms.topic: overview
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Virtual Smart Card Overview
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@ -2,7 +2,7 @@
 title: Tpmvscmgr
 description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
 ms.topic: reference
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Tpmvscmgr
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@ -2,7 +2,7 @@
 title: Understanding and Evaluating Virtual Smart Cards
 description: Learn how smart card technology can fit into your authentication design.
 ms.topic: overview
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Understand and Evaluate Virtual Smart Cards
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@ -2,7 +2,7 @@
 title: Use Virtual Smart Cards
 description: Learn about the requirements for virtual smart cards, how to use and manage them.
 ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 09/06/2024
 ---
 # Use Virtual Smart Cards
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@ -65,7 +65,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
 | Name | Details | Security Tools |
 |--|--|--|
 | Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Microsoft Edge, version 117 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-117/ba-p/3930862) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 ## Related articles
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@ -35,7 +35,7 @@ The Security Compliance Toolkit consists of:
  - Office 2016
  - Microsoft 365 Apps for Enterprise Version 2206
 - Microsoft Edge security baseline
-  - Microsoft Edge version 114
+  - Microsoft Edge version 128
 - Tools
  - Policy Analyzer
  - Local Group Policy Object (LGPO)
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
@ -1,8 +1,8 @@
 ---
-title: Configure Windows Firewall logging 
+title: Configure Windows Firewall logging
 description: Learn how to configure Windows Firewall to log dropped packets or successful connections with CSP and group policy.
 ms.topic: how-to
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ---
 # Configure Windows Firewall logging
@ -137,7 +137,7 @@ If not, add *FullControl* permissions for `mpssvc` to the folder, subfolders and
 ```PowerShell
 $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
-$NewAcl = Get-Acl -Path $LogPath 
+$NewAcl = Get-Acl -Path $LogPath
 $identity = "NT SERVICE\mpssvc"
 $fileSystemRights = "FullControl"
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@ -2,7 +2,7 @@
 title: Manage Windows Firewall with the command line
 description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
 ms.topic: how-to
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ---
 # Manage Windows Firewall with the command line
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@ -2,7 +2,7 @@
 title: Configure firewall rules with group policy
 description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
 ms.topic: how-to
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ---
 # Configure rules with group policy
--- a/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md
@ -2,7 +2,7 @@
 title: Windows Firewall dynamic keywords
 description: Learn about Windows Firewall dynamic keywords and how to configure it using Windows PowerShell.
 ms.topic: how-to
-ms.date: 01/16/2024
+ms.date: 09/06/2024
 ---
 # Windows Firewall dynamic keywords
--- a/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md
@ -2,7 +2,7 @@
 title: Filter origin audit log
 description: Learn about Windows Firewall and filter origin audit log to troubleshoot packet drops.
 ms.topic: troubleshooting
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ---
 # Filter origin audit log
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@ -1,8 +1,8 @@
 ---
-title: Hyper-V firewall 
+title: Hyper-V firewall
 description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP).
 ms.topic: how-to
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
@ -21,18 +21,18 @@ This section describes the steps to manage Hyper-V firewall using PowerShell.
 ### Obtain the WSL GUID
-Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet:  
+Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet:
 ```powershell
-Get-NetFirewallHyperVVMCreator 
+Get-NetFirewallHyperVVMCreator
 ```
 The output contains a VmCreator object type, which has unique identifier `VMCreatorId` and `friendly name` properties. For example, the following output shows the properties of WSL:
 ```powershell
 PS C:\> Get-NetFirewallHyperVVMCreator
-VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} 
+VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
-FriendlyName : WSL 
+FriendlyName : WSL
 ```
 > [!NOTE]
@ -63,7 +63,7 @@ The output contains the following values:
 To configure Hyper-V firewall, use the [Set-NetFirewallHyperVVMSetting][PS-2] command. For example, the following command sets the default inbound connection to *Allow*:
 ```powershell
-Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow 
+Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow
 ```
 ### Firewall Rules
@ -76,10 +76,10 @@ Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
 To configure specific rules, use the [Set-NetFirewallHyperVRule][PS-4] cmdlet.
-For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:  
+For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:
 ```powershell
-New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80 
+New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80
 ```
 ### Target Hyper-V firewall rules and settings to specific profiles
@ -95,7 +95,7 @@ The policy options are similar to the ones already described, but are applied to
 To view the settings per profile, use the following command:
 ```powershell
-Get-NetFirewallHyperVProfile -PolicyStore ActiveStore 
+Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
 ```
 > [!NOTE]
--- a/windows/security/operating-system-security/network-security/windows-firewall/index.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@ -1,8 +1,8 @@
 ---
-title: Windows Firewall overview 
+title: Windows Firewall overview
 description: Learn overview information about the Windows Firewall security feature.
 ms.topic: overview
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ---
 # Windows Firewall overview
--- a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
@ -2,7 +2,7 @@
 title: Quarantine behavior
 description: Learn about Windows Firewall and the quarantine feature behavior.
 ms.topic: concept-article
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ---
 # Quarantine behavior
@ -77,7 +77,7 @@ Inside the wfpdiag.xml, search for `netEvents` that have `FWPM_NET_EVENT_TYPE_CL
 The characters in the application ID name are separated by periods:
 ```XML
- <asString>         \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... </asString> 
+ <asString>         \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... </asString>
 ```
 The `netEvent` contains more information about the dropped packet, including information about its capabilities, the filter that dropped the packet, and much more.
--- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
@ -1,7 +1,7 @@
 ---
 title: Windows Firewall rules
 description: Learn about Windows Firewall rules and design recommendations.
-ms.date: 11/21/2023
+ms.date: 09/06/2024
 ms.topic: concept-article
 ---
--- a/windows/security/operating-system-security/network-security/windows-firewall/tools.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/tools.md
@ -1,7 +1,7 @@
 ---
 title: Windows Firewall tools
 description: Learn about the available tools to configure Windows Firewall and firewall rules.
-ms.date: 11/20/2023
+ms.date: 09/06/2024
 ms.topic: best-practice
 ---
--- a/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall.md
@ -2,7 +2,7 @@
 title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
 description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
 ms.topic: troubleshooting
-ms.date: 11/07/2023
+ms.date: 09/06/2024
 ---
 # Troubleshooting UWP App Connectivity Issues
@ -83,7 +83,7 @@ package SID, or application ID name. The characters in the application ID name
 will be separated by periods:
 ```XML
-(ex)                     
+(ex)
 <asString>
 \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e...
@ -118,18 +118,18 @@ remote address, capabilities, etc.
        <item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
        <item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
        <item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
-        <item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>    
+        <item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
        <item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
        <item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
    </flags>
    <ipVersion>FWP_IP_VERSION_V6</ipVersion>
-    <ipProtocol>6</ipProtocol>                
+    <ipProtocol>6</ipProtocol>
-    <localAddrV6.byteArray16>2001:4898:30:3:256c:e5ba:12f3:beb1</localAddrV6.byteArray16>    
+    <localAddrV6.byteArray16>2001:4898:30:3:256c:e5ba:12f3:beb1</localAddrV6.byteArray16>
    <remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
 <localPort>52127</localPort>
 <remotePort>443</remotePort>
 <scopeId>0</scopeId>
-<appId>                
+<appId>
    <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
    <asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
       .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
@ -152,7 +152,7 @@ remote address, capabilities, etc.
 <internalFields>
 <internalFlags/>
 <remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
-<capabilities numItems="3">                
+<capabilities numItems="3">
    <item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
    <item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
    <item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
@ -195,7 +195,7 @@ allowed by Filter #125918, from the InternetClient Default Rule.
    <asString>.+......</asString>
    </providerData>
    <layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V6</layerKey>
-    <subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey     
+    <subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey
    <weight>
    <type>FWP_EMPTY</type>
    </weight>
@ -284,7 +284,7 @@ The important part of this condition is **S-1-15-3-1**, which is the capability
 From the **netEvent** capabilities section, capabilities from netEvent, Wfpdiag-Case-1.xml.
 ```xml
-<capabilities numItems="3">                
+<capabilities numItems="3">
    <item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
    <item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
    <item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
@ -575,7 +575,7 @@ In this example, the UWP app is unable to reach the Intranet target address, 10.
    <localPort>52998</localPort>
    <remotePort>53</remotePort>
    <scopeId>0</scopeId>
-    <appId>                
+    <appId>
    <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
    <asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
    .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
@ -653,7 +653,7 @@ In this example, the UWP app is unable to reach the Intranet target address, 10.
    <localPort>52956</localPort>
    <remotePort>53</remotePort>
    <scopeId>0</scopeId>
-    <appId>    
+    <appId>
    <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
    <asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
    .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@ -5,7 +5,7 @@ ms.topic: concept-article
 manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
-ms.date: 11/07/2023
+ms.date: 09/06/2024
 ---
 # Zero Trust and Windows device health