Merge branch 'main' into sheshachary-5859198-3

2025-05-12 13:27:23 +00:00 · 2022-06-10 14:19:17 -07:00 · 2022-06-10 14:19:17 -07:00 · 737ca9adff
commit 737ca9adff
parent b0e575a158 9380ac591f
70 changed files with 579 additions and 595 deletions
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@ -111,7 +111,7 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
 Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
 - Local administrator
- Microsoft Account (MSA) administrator
+- Microsoft account administrator
 - Azure Active Directory administrator 
 > [!WARNING]
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@ -50,10 +50,11 @@ You can create collections of apps within your private store. Collections allow
 You can add a collection to your private store from the private store, or from the details page for an app.
 **From private store**
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
 2. Click your private store.</br>
-    ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
+    ![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
 3. Click **Add a Collection**.</br>
    ![Image showing Add a Collection.](images/msfb-add-collection.png)
@ -65,6 +66,7 @@ You can add a collection to your private store from the private store, or from t
 > New collections require at least one app, or they will not be created.
 **From app details page**
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
 2. Click **Manage**, and then click **Products & services**.
 3. Under **Apps & software**, choose an app you want to include in a new collection.
@ -84,12 +86,13 @@ If you've already added a Collection to your private store, you can easily add a
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
 2. Click your private store.</br>
-    ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
+    ![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
 3. Click the ellipses next to the collection name, and click **Edit collection**.
 4. Add or remove products from the collection, and then click **Done**.
 You can also add an app to a collection from the app details page.
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
 2. Click **Manage**, and then click **Products & services**.
 3. Under **Apps & software**, choose an app you want to include in a new collection.
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@ -45,7 +45,7 @@ You'll need to set up:
 -   LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
 The process and timing look like this:
-![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png)
+![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for Microsoft Store for Business admin, LOB publisher, and Developer.](images/lob-workflow.png)
 ## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
 Admins need to invite developer or ISVs to become an LOB publisher.
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@ -861,7 +861,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
 |DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: don’t defer feature updates|
 |DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
 |PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: don’t pause feature updates|
-|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers<br><br>Other value or absent: offer WU drivers|
+|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
 Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -537,28 +537,32 @@ Supported operation is Exec only.
 <a href="" id="provider-providerid-multiplesession-numallowedconcurrentusersessionforbackgroundsync"></a>**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync**
-Optional. This node specifies maximum number of concurrent user sync sessions in background. Default value is 25.
+Optional. This node specifies maximum number of concurrent user sync sessions in background. 
 The default value is dynamically decided by the client based on CPU usage.
 The values are : 0= none, 1= sequential, anything else=  parallel.
 Supported operations are Get, Add, Replace and Delete.
-Value type is integer. Only applicable for Windows 10 multi-session.
+Value type is integer. Only applicable for Windows Enterprise multi-session.
 <a href="" id="provider-providerid-multiplesession-numallowedconcurrentusersessionatuserlogonsync"></a>**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync**
-Optional. This node specifies maximum number of concurrent user sync sessions at User Login. Default value is 25.
+Optional. This node specifies maximum number of concurrent user sync sessions at User Login. 
 The default value is dynamically decided by the client based on CPU usage.
 The values are : 0= none, 1= sequential, anything else= parallel.
 Supported operations are Get, Add, Replace and Delete. 
-Value type is integer. Only applicable for Windows 10 multi-session. 
+Value type is integer. Only applicable for Windows Enterprise multi-session. 
 <a href="" id="provider-providerid-multiplesession-intervalforscheduledretriesforusersession"></a>**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession**
 Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `/<ProviderID>/Poll/NumberOfScheduledRetriesForUserSession`. 
-If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 1440. If the value is set to 0, this schedule is disabled.
+If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled.
 This configuration is only applicable for Windows Multi-session Editions.
@ -626,7 +630,7 @@ The status error mapping is listed below.
 |--- |--- |
 |0|Success|
 |1|Failure: invalid PFN|
-|2|Failure: invalid or expired device authentication with MSA|
+|2|Failure: invalid or expired device authentication with Microsoft account|
 |3|Failure: WNS client registration failed due to an invalid or revoked PFN|
 |4|Failure: no Channel URI assigned|
 |5|Failure: Channel URI has expired|
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@ -27,12 +27,12 @@ The table below shows the applicability of Windows:
 The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
-> [!Note]
+> [!NOTE]
-> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
+> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
-While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
+While Windows Information Protection has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
-To learn more about WIP, see the following articles:
+To learn more about Windows Information Protection, see the following articles:
 - [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
 - [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
@ -63,8 +63,8 @@ The root node for the Windows Information Protection (WIP) configuration setting
 <a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**  
 Set the WIP enforcement level. 
-> [!Note]
+> [!NOTE]
-> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
+> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running.
 The following list shows the supported values:
@ -76,14 +76,13 @@ The following list shows the supported values:
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 <a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**  
-A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
+A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
 Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
-> [!Note]
+> [!NOTE]
 > The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
 Here are the steps to create canonical domain names:
 1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
@ -242,7 +241,7 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
 Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
 <a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**  
-This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
+This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
 The following list shows the supported values:
@ -252,7 +251,7 @@ The following list shows the supported values:
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 <a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**  
-Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
+Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
 - 0 - Don't revoke keys.
 - 1 (default) - Revoke keys.
@ -265,7 +264,7 @@ TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS t
 Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
 <a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**  
-Specifies whether to allow Azure RMS encryption for WIP.
+Specifies whether to allow Azure RMS encryption for Windows Information Protection.
 - 0 (default) – Don't use RMS.
 - 1 – Use RMS.
@ -278,7 +277,7 @@ When this policy isn't specified, the existing auto-encryption behavior is appli
 Supported operations are Add, Get, Replace and Delete. Value type is string.
 <a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**  
-Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
+Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
 The following list shows the supported values:
 - 0 (default) - No WIP overlays on icons or tiles.
@ -287,7 +286,7 @@ The following list shows the supported values:
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 <a href="" id="status"></a>**Status**  
-A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
+A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
 Suggested values:
@ -299,7 +298,7 @@ Bit 0 indicates whether WIP is on or off.
 Bit 1 indicates whether AppLocker WIP policies are set.
-Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
+Bit 3 indicates whether the mandatory Windows Information Protection policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
 Here's the list of mandatory WIP policies:
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@ -80,17 +80,17 @@ Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided
 MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
+- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
 - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
 - [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
 - [DevInfo CSP](devinfo-csp.md).
 - [DMAcc CSP](dmacc-csp.md).
 - [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
+- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
 - [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
 - [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
 - [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
+- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
 - [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
 - [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
 - [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. 
@ -116,13 +116,13 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
 Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM.
 > [!NOTE]
-> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
+> When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
 To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
-In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
+In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
- Both MAM and MDM policies for the organization support WIP.
+- Both MAM and MDM policies for the organization support Windows Information Protection.
 - EDP CSP Enterprise ID is the same for both MAM and MDM.
 - EDP CSP RevokeOnMDMHandoff is set to false.
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@ -68,12 +68,12 @@ manager: dansimp
 <!--/Scope-->
 <!--Description-->
-Specifies whether user is allowed to add non-MSA email accounts.
+Specifies whether user is allowed to add email accounts other than Microsoft account.
 Most restricted value is 0.
 > [!NOTE]
-> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. 
+> This policy will only block UI/UX-based methods for adding non-Microsoft accounts.
 <!--/Description-->
 <!--SupportedValues-->
@ -114,7 +114,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
+Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services.
 Most restricted value is 0.
@ -160,10 +160,10 @@ The following list shows the supported values:
 Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
 > [!NOTE]
-> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
+> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
 > [!NOTE]
-> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. 
+> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. 
 <!--/Description-->
 <!--SupportedValues-->
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@ -105,8 +105,8 @@ On a device where this policy is configured, the user specified in the policy wi
 > [!NOTE]
 >
- - Some events such as major OS updates may require the specified user to logon to the device again, to resume auto-logon behavior.
+> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior.
-> - Auto-logon is only supported for MSA and AAD users.
+> - Auto-logon is only supported for Microsoft account and AAD users.
 <!--/SupportedSKUs-->
 <hr/>
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@ -88,7 +88,7 @@ Specifies the ending time for retrieving logs.
 - Supported operations are Get and Replace.
 <a href="" id="type"></a>**Type**  
-Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the WIP learning logs.
+Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the Windows Information Protection learning logs.
 - Value type is integer.
 - Supported operations are Get and Replace.
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -30,7 +30,7 @@ The VPNv2 configuration service provider allows the mobile device management (MD
 Here are the requirements for this CSP:
 - VPN configuration commands must be wrapped in an Atomic block in SyncML.
- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
+- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.
 - Instead of changing individual properties, follow these steps to make any changes:
  - Send a Delete command for the ProfileName to delete the entire profile.
@ -541,9 +541,9 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 <a href="" id="vpnv2-profilename-edpmodeid"></a>**VPNv2/**<em>ProfileName</em>**/EdpModeId**  
-Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
-Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
+Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect.
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@ -161,7 +161,7 @@ Value type is bool.
 Supported operation is Get.
 <a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-msaserviceenabled"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**  
-A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
+A boolean value representing whether the Microsoft account service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
 Value type is bool. 
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@ -25,7 +25,7 @@ All that's required to use Quick Assist is suitable network and internet connect
 ### Authentication
-The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
+The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
 ### Network considerations
@ -36,7 +36,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
 | Domain/Name | Description |
 |--|--|
 | `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
-| `*.login.microsoftonline.com` | Required for logging in to the application (MSA) |
+| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
 | `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
 | `*.aria.microsoft.com` | Used for accessibility features within the app |
 | `*.api.support.microsoft.com` | API access for Quick Assist |
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@ -15,7 +15,7 @@ ms.topic: troubleshooting
 # What version of Windows am I running?
-To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. 
+To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (GA Channel) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. 
 ## System Properties
 Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@ -27,7 +27,7 @@ There are a few things to be aware of before you start using Cortana in Windows
 - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.
+- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use Windows Information Protection, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.
 - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana).
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@ -429,8 +429,8 @@ Application is a container for settings that apply to a particular application.
 |LocalizedNames|An optional name displayed in the UI, localized by a language locale.|
 |LocalizedDescriptions|An optional template description localized by a language locale.|
 |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).|
-|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.|
+|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.|
-|DeferToOffice365|Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
+|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
 |FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.|
 |Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).|
 |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".|
@ -448,8 +448,8 @@ Common is similar to an Application element, but it is always associated with tw
 |LocalizedNames|An optional name displayed in the UI, localized by a language locale.|
 |LocalizedDescriptions|An optional template description localized by a language locale.|
 |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).|
-|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.|
+|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.|
-|DeferToOffice365|Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
+|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
 |FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.|
 |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).|
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@ -41,9 +41,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Device type | Minimum Windows version
 |------------------|---------------|
-| Computers running Windows 10 | Win 10 1511 |
+| Computers running Windows 10 | Windows 10 1511 |
 | Computers running Server Core installations of Windows Server | Windows Server 2019 |
-| Windows IoT devices | Win 10 1803 |
+| Windows IoT devices | Windows 10 1803 |
 ### Types of download content supported by Delivery Optimization
@ -51,19 +51,19 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
 |------------------|---------------|----------------|----------|----------------|
-| Windows Update (feature updates quality updates, language packs, drivers) | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows Update (feature updates quality updates, language packs, drivers) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10 Store files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store for Business files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10 Store for Business files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows Defender definition updates | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Intune Win32 apps| Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
+| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
-| Microsoft 365 Apps and updates | Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Edge Browser Updates | Win 10 1809, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Configuration Manager Express updates| Win 10 1709 + Configuration Manager version Win 10 1711, Win 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
+| Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version Windows 10 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
-| Dynamic updates| Win 10 1903, Win 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
+| Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
-| MDM Agent | Win 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
+| MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
-| Xbox Game Pass (PC) | Win 10 1809, Win 11 | :heavy_check_mark: |  | :heavy_check_mark: |
+| Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: |  | :heavy_check_mark: |
-| Windows Package Manager| Win 10 1809, Win 11 | :heavy_check_mark: |  |  |
+| Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: |  |  |
-| MSIX | Win 10 2004, Win 11 | :heavy_check_mark: |  |  |
+| MSIX | Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
 #### Windows Server
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@ -99,7 +99,7 @@ For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]
    > [!Note]
    > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
-For WU URLs that _aren't_ used for update detection, such as for download or reporting:
+For Windows Update URLs that _aren't_ used for update detection, such as for download or reporting:
 - User proxy is attempted.
 - If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted.
@ -116,7 +116,7 @@ For WU URLs that _aren't_ used for update detection, such as for download or rep
 |Service|ServiceId|
 |-------|---------| 
-|Unspecified / Default|WU, MU, or WSUS <br>00000000-0000-0000-0000-000000000000 |
+|Unspecified / Default|Windows Update, Microsoft Update, or WSUS <br>00000000-0000-0000-0000-000000000000 |
 |Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| 
 |Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| 
 |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| 
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@ -81,7 +81,7 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
 | 51    | Unexpected exception when attempting to run Census.exe| 
 | 52    | Could not find Census.exe| 
 | 53    | There are conflicting CommercialID values.| 
-| 54    | Microsoft Account Sign In Assistant (MSA) Service disabled.| 
+| 54    | Microsoft account (MSA) Sign In Assistant Service disabled.| 
 | 55    | Failed to create new registry path for SetDeviceNameOptIn| 
 | 56    | Failed to create property for SetDeviceNameOptIn at registry path| 
 | 57    | Failed to update value for SetDeviceNameOptIn| 
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@ -45,8 +45,8 @@ This section lists the error codes for Microsoft Windows Update.
 | 0x80243002 |  `WU_E_INSTALLATION_RESULTS_INVALID_DATA`   |       The results of download and installation could not be read from the registry due to an invalid data format.        |
 | 0x80243003 |    `WU_E_INSTALLATION_RESULTS_NOT_FOUND`    |           The results of download and installation are not available; the operation may have failed to start.            |
 | 0x80243004 |           `WU_E_TRAYICON_FAILURE`           |                    A failure occurred when trying to create an icon in the taskbar notification area.                    |
-| 0x80243FFD |              `WU_E_NON_UI_MODE`             |                    Unable to show UI when in non-UI mode; WU client UI modules may not be installed.                     |
+| 0x80243FFD |              `WU_E_NON_UI_MODE`             |                    Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed.                     |
-| 0x80243FFE |     `WU_E_WUCLTUI_UNSUPPORTED_VERSION`      |                                 Unsupported version of WU client UI exported functions.                                  |
+| 0x80243FFE |     `WU_E_WUCLTUI_UNSUPPORTED_VERSION`      |                                 Unsupported version of Windows Update client UI exported functions.                                  |
 | 0x80243FFF |          `WU_E_AUCLIENT_UNEXPECTED`         |                   There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code.                  |
 | 0x8024043D |          `WU_E_SERVICEPROP_NOTAVAIL`         |                   The requested service property is not available.                  |
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@ -47,8 +47,8 @@ To understand the changes to the Windows Update architecture that UUP introduces
     >
     >Store apps aren't installed by USO, today they are separate. 
- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller.  
+- **Windows Update Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller.  
- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. 
+- **Windows Update Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. 
 - **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. 
 Additional components include the following- 
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@ -42,7 +42,7 @@ The following table describes some log files and how to use them for troubleshoo
 |setupact.log|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.|
 |setuperr.log|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.|
 |miglog.xml|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.|
-|BlueBox.log|Down-Level:<br>Windows\Logs\Mosetup|Contains information communication between setup.exe and Windows Update.|Use during WSUS and WU down-level failures or for 0xC1900107.|
+|BlueBox.log|Down-Level:<br>Windows\Logs\Mosetup|Contains information communication between setup.exe and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.|
 |Supplemental rollback logs:<br>Setupmem.dmp<br>setupapi.dev.log<br>Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.<br>Setupapi: Device install issues - 0x30018<br>Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.|
 ## Log entry structure
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@ -189,5 +189,5 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
 - [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
 - [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/home?category=Windows10ITPro)
 - [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
- [Win 7 to Win 10 upgrade error (0x800707E7 - 0x3000D)](https://answers.microsoft.com/en-us/windows/forum/all/win-7-to-win-10-upgrade-error-0x800707e7-0x3000d/1273bc1e-8a04-44d4-a6b2-808c9feeb020))
+- [Windows 7 to Windows 10 upgrade error (0x800707E7 - 0x3000D)](https://answers.microsoft.com/en-us/windows/forum/all/win-7-to-win-10-upgrade-error-0x800707e7-0x3000d/1273bc1e-8a04-44d4-a6b2-808c9feeb020))
- [Win 10 upgrade error: User profile suffix mismatch, 0x800707E7 - 0x3000D](https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/win-10-upgrade-error-user-profile-suffix-mismatch/0f006733-2af5-4b42-a2d4-863fad05273d?page=3)
+- [Windows 10 upgrade error: User profile suffix mismatch, 0x800707E7 - 0x3000D](https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/win-10-upgrade-error-user-profile-suffix-mismatch/0f006733-2af5-4b42-a2d4-863fad05273d?page=3)
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@ -298,7 +298,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
 39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
    - Matches a wim apply failure during wim extraction phases of setup.  Will output the extension, path and error code.
 40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2
-    - Matches DPX expander failures in the down-level phase of update from WU.  Will output the package name, function, expression and error code.
+    - Matches DPX expander failures in the down-level phase of update from Windows Update.  Will output the package name, function, expression and error code.
 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
    - Matches any plug-in failure that setupplatform decides is fatal to setup.  Will output the plugin name, operation and error code.
 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@ -57,15 +57,15 @@ X = unsupported <BR>
 | **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
 | **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
+| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
-| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 > [!NOTE]
 > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@ -30,7 +30,7 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi
 - **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
-  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
 - **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@ -14,6 +14,9 @@ msreviewer: hathind
 # Add and verify admin contacts
 > [!IMPORTANT]
 > The Admin contacts blade isn't available during public preview. However, we'll use the admin contacts provided by you during public preview onboarding.
 There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
 > [!IMPORTANT]
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@ -14,7 +14,7 @@ msreviewer: hathind
 # Microsoft Edge
-Windows Autopatch uses the [Stable channel](/deployedge/microsoft-edge-channels%22%20/l%20%22stable-channel) of Microsoft Edge.  
+Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge.  
 ## Device eligibility
@ -31,7 +31,7 @@ Microsoft Edge will check for updates every 10 hours. Quality updates occur week
 Browser updates with critical security fixes will have a faster rollout cadence than updates that don't have critical security fixes to ensure prompt protection from vulnerabilities.
-Devices in the Test device group receive feature updates from the [Beta channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks.
+Devices in the Test device group receive feature updates from the [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks.
 ## Pausing and resuming updates
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@ -396,7 +396,7 @@ For the purposes of this demo, select **All** under the **MDM user scope** and s
 ## Register your VM
-Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB).  Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than MSfB.
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB).  Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than Microsoft Store for Business.
 ### Autopilot registration using Intune
@ -430,7 +430,7 @@ Optional: see the following video for an overview of the process.
 > [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
+First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
 Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account,  select **Sign in** on the upper-right-corner of the main page.
@ -445,16 +445,16 @@ Select the **Add devices** link to upload your CSV file. A message appears that
 ## Create and assign a Windows Autopilot deployment profile
 > [!IMPORTANT]
-> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only *pick one for the purposes of this lab*:
+> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or Microsoft Store for Business. Both processes are shown here, but only *pick one for the purposes of this lab*:
 Pick one:
 - [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+- [Create profiles using Microsoft Store for Business](#create-a-windows-autopilot-deployment-profile-using-msfb)
 ### Create a Windows Autopilot deployment profile using Intune
 > [!NOTE]
-> Even if you registered your device in MSfB, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list.
+> Even if you registered your device in Microsoft Store for Business, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list.
 ![Devices.](images/enroll4.png)
@ -533,13 +533,13 @@ Select **OK**, and then select **Create**.
 If you already created and assigned a profile via Intune with the steps immediately above, then skip this section.
-A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
+A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below.
 First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
 Select **Manage** from the top menu, then select **Devices** from the left navigation tree.
-![MSfB manage.](images/msfb-manage.png)
+![Microsoft Store for Business manage.](images/msfb-manage.png)
 Select the **Windows Autopilot Deployment Program** link in the **Devices** tile.
@ -548,17 +548,17 @@ To CREATE the profile:
 Select your device from the **Devices** list:
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 1.](images/msfb-create1.png)
+> ![Microsoft Store for Business create step 1.](images/msfb-create1.png)
 On the Autopilot deployment dropdown menu, select **Create new profile**:
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 2.](images/msfb-create2.png)
+> ![Microsoft Store for Business create step 2.](images/msfb-create2.png)
 Name the profile, choose your desired settings, and then select **Create**:
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 3.](images/msfb-create3.png)
+> ![Microsoft Store for Business create step 3.](images/msfb-create3.png)
 The new profile is added to the Autopilot deployment list.
@ -567,12 +567,12 @@ To ASSIGN the profile:
 To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab. Then, select the profile you want to assign from the **Autopilot deployment** dropdown menu, as shown:
 > [!div class="mx-imgBorder"]
-> ![MSfB assign step 1.](images/msfb-assign1.png)
+> ![Microsoft Store for Business assign step 1.](images/msfb-assign1.png)
 To confirm the profile was successfully assigned to the intended device, check the contents of the **Profile** column:
 > [!div class="mx-imgBorder"]
-> ![MSfB assign step 2.](images/msfb-assign2.png)
+> ![Microsoft Store for Business assign step 2.](images/msfb-assign2.png)
 > [!IMPORTANT]
 > The new profile is only applied if the device hasn't started and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@ -609,7 +609,7 @@ Windows Autopilot takes over to automatically join your device into Azure AD and
 ## Remove devices from Autopilot
-To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it.  Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below.
+To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or Microsoft Store for Business, and then reset it.  Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below.
 ### Delete (deregister) Autopilot device
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@ -1584,9 +1584,9 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@ -4281,7 +4281,7 @@ The following fields are available:
 - **DeviceModel**  What is the device model.
 - **DeviceOEM**  What OEM does this device belong to.
 - **DownloadPriority**  The priority of the download activity.
- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
+- **DownloadScenarioId**  A unique ID for a given download used to tie together Windows Update and DO events.
 - **DriverPingBack**  Contains information about the previous driver and system state.
 - **Edition**  Indicates the edition of Windows being used.
 - **EventInstanceID**  A globally unique identifier for event instance.
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@ -1681,9 +1681,9 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update(WU) updates to other devices on the same network.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@ -1829,9 +1829,9 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@ -6126,7 +6126,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window
 The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous operating system.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
@ -8188,7 +8188,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique identifier for each flight.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
 - **MitigationScenario**  The update scenario in which the mitigation was executed.
@ -8210,7 +8210,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **EditionIdUpdated**  Determine whether EditionId was changed.
 - **FlightId**  Unique identifier for each flight.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@ -2574,9 +2574,9 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@ -4236,7 +4236,7 @@ The following fields are available:
 - **FlightId**  The ID of the Windows Insider build the device received.
 - **InstallDate**  The date the driver was installed.
 - **InstallFlags**  The driver installation flags.
- **OptionalData**  Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
+- **OptionalData**  Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.)
 - **RebootRequired**  Indicates whether a reboot is required after the installation.
 - **RollbackPossible**  Indicates whether this driver can be rolled back.
 - **WuTargetedHardwareId**  Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update.
@ -7554,7 +7554,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window
 The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous operating system.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
@ -9816,7 +9816,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique GUID that identifies each instances of setuphost.exe.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
 - **MitigationScenario**  The update scenario in which the mitigation was executed.
@ -9838,7 +9838,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **EditionIdUpdated**  Determine whether EditionId was changed.
 - **FlightId**  Unique identifier for each flight.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
@ -9861,7 +9861,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique identifier for each flight.
 - **ImagePathDefault**  Default path to wimmount.sys driver defined in the system registry.
 - **ImagePathFixedup**  Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation.
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@ -2775,10 +2775,10 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
 - **WULCUVersion**  Version of the LCU Installed on the machine.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@ -4337,7 +4337,7 @@ The following fields are available:
 - **FlightId**  The ID of the Windows Insider build the device received.
 - **InstallDate**  The date the driver was installed.
 - **InstallFlags**  The driver installation flags.
- **OptionalData**  Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
+- **OptionalData**  Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.)
 - **RebootRequired**  Indicates whether a reboot is required after the installation.
 - **RollbackPossible**  Indicates whether this driver can be rolled back.
 - **WuTargetedHardwareId**  Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update.
@ -7722,7 +7722,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window
 The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous operating system.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
@ -9395,7 +9395,7 @@ The following fields are available:
 - **updaterCmdLine**  The command line requested by the updater.
 - **updaterId**  The ID of the updater that requested the work.
- **wuDeviceid**  WU device ID.
+- **wuDeviceid**  Windows Update device ID.
 ### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem
@ -9840,7 +9840,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique identifier for each flight.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
 - **MitigationScenario**  The update scenario in which the mitigation was executed.
@ -9862,7 +9862,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **EditionIdUpdated**  Determine whether EditionId was changed.
 - **FlightId**  Unique identifier for each flight.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
@ -9885,7 +9885,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique identifier for each flight.
 - **ImagePathDefault**  Default path to wimmount.sys driver defined in the system registry.
 - **ImagePathFixedup**  Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation.
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@ -119,7 +119,7 @@ Collects Office metadata through UTC to compare with equivalent data collected t
 Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details).
 - **build:** App version
- **channel:** Is this part of SAC or SAC-T?
+- **channel:** Is this part of GA Channel or SAC-T?
 - **errorCode:** What error occurred during the upgrade process?
 - **errorMessage:** what was the error message during the upgrade process?
 - **status:** Was the upgrade successful or not?
@ -355,14 +355,14 @@ The following fields are available:
 Initialization of Explorer is complete.
 ## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning
-For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption.
+For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the Windows Information Protection administrator tune policy rules and prevent unnecessary user disruption.
 The following fields are available:
 - **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
 - **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
 - **appname:** App that triggered the event
- **status:** Indicates whether errors occurred during WIP learning events
+- **status:** Indicates whether errors occurred during Windows Information Protection learning events
 ## Win32kTraceLogging.AppInteractivitySummary
 Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application reliability on managed devices.
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@ -84,7 +84,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
   1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen.  **Integer value 1**
 1. **Mail synchronization**
-   1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
+   1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an Microsoft account for non-email related connection authentication and services. **Set to 0 (zero)**
 1. **Microsoft Account**
   1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@ -2292,10 +2292,10 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
 - **WULCUVersion**  Version of the LCU Installed on the machine.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update  setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@ -6022,7 +6022,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window
 The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  In the Windows Update  scenario, this will be the Windows Update  client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous operating system.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
@ -6789,7 +6789,7 @@ The following fields are available:
 - **freeDiskSpaceInMB**  Amount of free disk space.
 - **interactive**  Informs if this action is caused due to user interaction.
 - **priority**  The CPU and IO priority this action is being performed on.
- **provider**  The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.).
+- **provider**  The provider that is being invoked to perform this action (Windows Update , Legacy UO Provider etc.).
 - **update**  Update related metadata including UpdateId.
 - **uptimeMinutes**  Duration USO for up for in the current boot session.
 - **wilActivity**  Wil Activity related information.
@ -6988,7 +6988,7 @@ The following fields are available:
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
 - **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
 - **DeferredUpdates**  UpdateIds which are currently being deferred until a later time.
- **DriverExclusionPolicy**  Indicates if policy for not including drivers with WU updates is enabled.
+- **DriverExclusionPolicy**  Indicates if policy for not including drivers with Windows Update (WU) updates is enabled.
 - **DriverSyncPassPerformed**  A flag indicating whether the driver sync is performed in a update scan.
 - **EventInstanceID**  A globally unique identifier for event instance.
 - **ExcludedUpdateClasses**  Update classifications being excluded via policy.
@ -8139,7 +8139,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update  scenario, this will be the Windows Update  client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique identifier for each flight.
 - **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
 - **MitigationScenario**  The update scenario in which the mitigation was executed.
@ -8161,7 +8161,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O
 The following fields are available:
- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId**  In the Windows Update  scenario, this will be the Windows Update  client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique identifier for each flight.
 - **ImagePathDefault**  Default path to wimmount.sys driver defined in the system registry.
 - **ImagePathFixedup**  Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation.
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@ -2305,10 +2305,10 @@ The following fields are available:
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
 - **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
 - **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
 - **WULCUVersion**  Version of the LCU Installed on the machine.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUPauseState**  Retrieves Windows Update  setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@ -48,7 +48,7 @@ The Windows Server 2016 or later domain controller is handling 100 percent of al
 ![dc-chart3.](images/plan/dc-chart3.png)
-Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load.  But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same.
+Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load.  But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of Windows Hello for Business clients remains the same.
 ![dc-chart4.](images/plan/dc-chart4.png)
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@ -125,7 +125,7 @@ Before you continue with the deployment, validate your deployment progress by re
 ## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group.   Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group.   Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
 ## Follow the Windows Hello for Business on premises certificate trust deployment guide
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@ -22,62 +22,59 @@ ms.custom: bitlocker
 **Applies to**
 -   Windows 10
 -   Windows 11
 -   Windows Server 2016 and above
 This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
 When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
 ## BitLocker and BCD Settings
-In Windows 7 and Windows Server 2008 R2, BitLocker validated nearly all BCD settings with the winload, winresume, and memtest prefixes. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery.
+In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
-In Windows 8, Windows Server 2012, and later operating systems BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, you can increase BCD validation coverage to suit your validation preferences. Alternatively, if a default BCD setting is persistently triggering recovery for benign changes, then you can exclude that BCD setting from the validation profile.
+In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. 
 If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
 ### When secure boot is enabled
-Computers with UEFI firmware can use Secure Boot to provide enhanced boot security. When BitLocker is able to use Secure Boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
+Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
-One of the benefits of using Secure Boot is that it can correct BCD settings during boot without triggering recovery events. Secure Boot enforces the same BCD settings as BitLocker. Secure Boot BCD enforcement is not configurable from within the operating system.
+One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system.
 ## Customizing BCD validation settings
-To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** Group Policy setting.
+To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
-For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. BCD settings are either associated with a specific boot application or can apply to all boot applications by associating a prefix to the BCD setting entered in the Group Policy setting. Prefix values include:
+For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog:
 -   winload
 -   winresume
 -   memtest
-   all
+-   all of the above
 All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.”
-The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies which BCD setting caused the recovery event.
+The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
 You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”.
-Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an exclusion policy.
+Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
-When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** Group Policy setting, use the following syntax:
+When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
 -   Prefix the setting with the boot application prefix
 -   Append a colon ‘:’
 -   Append either the hex value or the friendly name
 -   If entering more than one BCD setting, you will need to enter each BCD setting on a new line
-For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value.
+For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value.
-Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
+A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
 > [!NOTE]
 > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
 ### Default BCD validation profile
-The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and later operating systems:
+The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@ -49,6 +49,7 @@ BitLocker encryption can be done using the following methods:
 ### Encrypting volumes using the BitLocker control panel
 Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
 ### Operating system volume
@ -69,8 +70,6 @@ Once a strong password has been created for the volume, a recovery key will be g
 You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
 When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
 -   Encrypt used disk space only - Encrypts only disk space that contains data
 -   Encrypt entire drive - Encrypts the entire volume including free space
@ -81,7 +80,8 @@ It's recommended that drives with little to no data use the **used disk space on
 Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
-After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
+
 After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
 Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
@ -93,16 +93,15 @@ Unlike for operating system volumes, data volumes aren't required to pass any co
 After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
 With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected.
-With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
+With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption.
 Encryption status displays in the notification area or within the BitLocker control panel.
 ### <a href="" id="-onedrive-option-"></a> OneDrive option
-There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
+There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
+Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 ### Using BitLocker within Windows Explorer
@ -110,7 +109,7 @@ Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by
 ## <a href="" id="bkmk-dep2"></a>Down-level compatibility
-The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows.
+The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.
 Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
@ -131,7 +130,7 @@ Command-line users need to determine the appropriate syntax for a given situatio
 ### Operating system volume
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
 **Determining volume status**
@ -143,7 +142,7 @@ This command returns the volumes on the target, current encryption status, and v
 **Enabling BitLocker without a TPM**
-For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process.
+For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process.
 ```powershell
 manage-bde –protectors -add C: -startupkey E:
@ -156,21 +155,21 @@ It's possible to encrypt the operating system volume without any defined protect
 `manage-bde -on C:`
-This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
+This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:
 `manage-bde -protectors -get <volume>`
 **Provisioning BitLocker with two protectors**
-Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command:
+Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
 `manage-bde -protectors -add C: -pw -sid <user or group>`
-This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
+This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
 ### Data volume
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
 **Enabling BitLocker with a password**
@ -200,11 +199,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
 |**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
 |**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
-Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
 A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
 > [!NOTE]
 > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
@ -212,9 +211,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
 ```powershell
 Get-BitLockerVolume C: | fl
 ```
-
+If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
-If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed.
+A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
 A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
 ```powershell
 $vol = Get-BitLockerVolume
@ -227,9 +225,8 @@ Using this information, we can then remove the key protector for a specific volu
 ```powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 ```
 > [!NOTE]
-> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+> The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.
 ### Operating system volume
@ -249,7 +246,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTes
 ### Data volume
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
 ```powershell
 $pw = Read-Host -AsSecureString
@ -275,7 +273,6 @@ For users who wish to use the SID for the account or group, the first step is to
 ```powershell
 Get-ADUser -filter {samaccountname -eq "administrator"}
 ```
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.
@ -287,17 +284,16 @@ In the example below, the user wishes to add a domain SID-based protector to the
 ```powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
 ```
 > [!NOTE]
-> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
+> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
 ## <a href="" id="bkmk-dep5"></a> Checking BitLocker status
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
 ### Checking BitLocker status with the control panel
-Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume will display next to the volume description and drive letter. Available status return values with the control panel include:
+Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with the control panel include:
 | Status | Description |
 | - | - |
@ -307,6 +303,7 @@ Checking BitLocker status with the control panel is the most common method used
 | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
 If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
 Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
 The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
@ -329,30 +326,29 @@ manage-bde -status <volume>
 Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
-Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
+Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
 ```powershell
 Get-BitLockerVolume <volume> -Verbose | fl
 ```
-
+This command displays information about the encryption method, volume type, key protectors, etc.
 This command will display information about the encryption method, volume type, key protectors, etc.
 ### Provisioning BitLocker during operating system deployment
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
 ### Decrypting BitLocker volumes
-Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption should not occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We will discuss each method further below.
+Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We'll discuss each method further below.
 ### Decrypting volumes using the BitLocker control panel applet
-BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process.
+BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process.
-Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel.
+After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel.
 The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
-Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
+Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
 ### Decrypting volumes using the manage-bde command-line interface
@ -361,8 +357,7 @@ Decrypting volumes using manage-bde is straightforward. Decryption with manage-b
 ```powershell
 manage-bde -off C:
 ```
-
+This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
 This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
 ```powershell
 manage-bde -status C:
@ -378,7 +373,7 @@ Using the Disable-BitLocker command, they can remove all protectors and encrypti
 Disable-BitLocker
 ```
-If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
+If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
 ```powershell
 Disable-BitLocker -MountPoint E:,F:,G:
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@ -28,12 +28,12 @@ ms.custom: bitlocker
 -   Windows 11
 -   Windows Server 2016 and above
-Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks. 
+Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. 
 BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. 
 Data on a lost or stolen computer is vulnerable. 
-For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. 
+For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. 
-BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by:
+BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
 - **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
 - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
@ -44,16 +44,16 @@ For more information about how to enable the best overall security configuration
 ## Protection before startup
-Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot.
+Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot.
 ### Trusted Platform Module
 A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. 
 On some platforms, TPM can alternatively be implemented as a part of secure firmware. 
-BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline. 
+BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. 
 For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
-### UEFI and Secure Boot
+### UEFI and secure boot
 Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. 
@ -61,7 +61,7 @@ The UEFI specification defines a firmware execution authentication process calle
 Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. 
 By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. 
-An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key.
+An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
 ### BitLocker and reset attacks
@ -87,19 +87,19 @@ This helps mitigate DMA and memory remanence attacks.
 On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.  
+- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.  
- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
+- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.  
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.  
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
+- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
-In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
+In the following group policy example, TPM + PIN is required to unlock an operating system drive:
 ![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
 Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. 
 Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. 
-On the other hand, Pre-boot authentication prompts can be inconvenient to users. 
+On the other hand, Pre-boot authentication-prompts can be inconvenient to users. 
 In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. 
 Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. 
@ -117,14 +117,14 @@ You can use the System Information desktop app (MSINFO32) to check if a device h
 ![Kernel DMA protection.](images/kernel-dma-protection.png)
-If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
+If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports:
 1. Require a password for BIOS changes 
-2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
+2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
    - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy 
-    - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting is not configured by default.)
+    - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
 For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
 For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
@ -136,7 +136,8 @@ This section covers countermeasures for specific types of attacks.
 ### Bootkits and rootkits
 A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. 
-The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released. 
+The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. 
 This is the default configuration.
 A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. 
@ -148,7 +149,7 @@ Require TPM + PIN for anti-hammering protection.
 ### DMA attacks
-See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this topic.
+See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article.
 ### Paging file, crash dump, and Hyberfil.sys attacks
 These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. 
@ -156,7 +157,7 @@ It also blocks automatic or manual attempts to move the paging file.
 ### Memory remanence
-Enable Secure Boot and require a password to change BIOS settings. 
+Enable secure boot and mandatorily prompt a password to change BIOS settings. 
 For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
 ## Attacker countermeasures
@ -165,9 +166,9 @@ The following sections cover mitigations for different types of attackers.
 ### Attacker without much skill or with limited physical access
-Physical access may be limited by a form factor that does not expose buses and memory. 
+Physical access may be limited by a form factor that doesn't expose buses and memory. 
 For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. 
-This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software. 
+This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. 
 Mitigation: 
 - Pre-boot authentication set to TPM only (the default)
@ -195,7 +196,7 @@ Computer Configuration|Administrative Templates|Windows Components|BitLocker Dri
 This setting is **Not configured** by default.
-For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device.
+For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
 ## See also 
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@ -29,7 +29,7 @@ ms.custom: bitlocker
 This article explains how BitLocker Device Encryption can help protect data on devices running Windows. 
 For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). 
-When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
+When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
 Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
@ -67,13 +67,13 @@ BitLocker is capable of encrypting entire hard drives, including both system and
 With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
-## BitLocker Device Encryption 
+## BitLocker device encryption 
 Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.
-Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
+Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption.
-Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
+Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
 * When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer.  The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
 * If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
@ -85,7 +85,7 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems
 - **Value**: PreventDeviceEncryption equal to True (1)
 - **Type**: REG\_DWORD
-Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+Administrators can manage domain-joined devices that have BitLocker device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
 > [!NOTE]
 > BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
@ -99,18 +99,18 @@ Exercise caution when encrypting only used space on an existing volume on which
 ## Encrypted hard drive support
 SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
-Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
+Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use,  whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
 For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md).
 ## Preboot information protection
-An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
+An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
-It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign in. Challenging users for input more than once should be avoided.
+It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
 Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
 ## Manage passwords and PINs
-When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign in, which makes it virtually impossible for the attacker to access or modify user data and system files.
+When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files.
 Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
 Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
@ -124,12 +124,12 @@ Network Unlock enables BitLocker-protected PCs to start automatically when conne
 Network Unlock requires the following infrastructure:
 * Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
-* A server running at least Windows Server 2012 with the Windows Deployment Services role
+* A server running at least Windows Server 2012 with the Windows deployment services role
 * A server with the DHCP server role installed
-For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
-## Microsoft BitLocker Administration and Monitoring
+## Microsoft BitLocker administration and monitoring
 Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@ -20,7 +20,7 @@ ms.date: 04/17/2019
 ms.custom: bitlocker
 ---
-# BitLocker Group Policy settings
+# BitLocker group policy settings
 **Applies to:**
@ -39,12 +39,12 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia
 If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group
 Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
 ## <a href="" id="bkmk-gptop"></a>BitLocker group policy settings
 > [!NOTE]
 > For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
-## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings
+The following sections provide a comprehensive list of BitLocker group policy settings that are organized by usage. BitLocker group policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.
 The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.
 The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
@ -103,9 +103,7 @@ The following policies are used to support customized deployment scenarios in yo
 -   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
 -   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
-### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN
+### <a href="" id="bkmk-hstioptout"></a>Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
 This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
 |    | &nbsp; |
 |:---|:---|
@ -145,7 +143,7 @@ To use a network key protector to unlock the computer, the computer and the serv
 > [!NOTE]
 > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup.
-For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 ### <a href="" id="bkmk-unlockpol1"></a>Require additional authentication at startup
@ -234,8 +232,8 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
-Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Originally, BitLocker allowed a length from 4 to 20 characters for a PIN.
-Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Windows Hello has its own PIN for logon, length of which can be 4 to 127 characters.
 Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
@ -305,7 +303,7 @@ This policy controls how non-TPM based systems utilize the password protector. U
 **Reference**
-If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
+If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**, must be also enabled.
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
@ -316,7 +314,7 @@ Passwords must be at least eight characters. To configure a greater minimum leng
 When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to:
 -   Allow password complexity
-   Do not allow password complexity
+-   Deny password complexity
 -   Require password complexity
 ### <a href="" id="bkmk-unlockpol4"></a>Require additional authentication at startup (Windows Server 2008 and Windows Vista)
@ -335,7 +333,7 @@ This policy setting is used to control what unlock options are available for com
 **Reference**
-On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
+On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits.
 A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
@ -449,19 +447,19 @@ This policy setting is used to require, allow, or deny the use of passwords with
 **Reference**
-If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
+If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at
-**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**, must also be enabled.
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
 Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the wanted number of characters in the **Minimum password length** box.
-When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password.
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password.
-When set to **Allow complexity**, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector.
+When set to **Allow complexity**, a connection to a domain controller is be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector.
-When set to **Do not allow complexity**, no password complexity validation will be done.
+When set to **Do not allow complexity**, no password complexity validation is done.
 > [!NOTE]
 > Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
@ -495,7 +493,7 @@ The default object identifier is 1.3.6.1.4.1.311.67.1.1.
 ### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring preboot keyboard input on slates
-This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability.
+### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring pre-boot keyboard input on slates
 |    | &nbsp; |
 |:---|:---|
@ -547,6 +545,7 @@ Conflict considerations include:
    -   If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
    -   If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
    -   If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."
 3.  If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers.
 ### <a href="" id="bkmk-driveaccess2"></a>Deny write access to removable drives not protected by BitLocker
@ -727,7 +726,7 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
 **Reference**
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
 > [!NOTE]
 > This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
@ -750,7 +749,7 @@ This policy controls whether operating system drives utilize Full encryption or
 **Reference**
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
 > [!NOTE]
 > This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
@ -773,7 +772,7 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
 **Reference**
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
 > [!NOTE]
 > This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
@ -807,7 +806,7 @@ In **Configure user storage of BitLocker recovery information**, select whether
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for
 the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
 Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
@ -834,7 +833,7 @@ This policy is only applicable to computers running Windows Server 2008 or Windo
 Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key.
-Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
+Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving the recovery password to a folder stores the 48-digit recovery password as a text file. Printing the recovery password sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
 > [!IMPORTANT]
 > If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
@ -915,7 +914,7 @@ This policy setting is applied when you turn on BitLocker.
 The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
-In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
@ -949,11 +948,11 @@ This policy setting is applied when you turn on BitLocker.
 The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor.
-In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
+In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password.
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
 Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
@ -981,8 +980,8 @@ Enabling the **Configure the pre-boot recovery message and URL** policy setting
 Once you enable the setting, you have three options:
 -   If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
-   If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
+-   If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
-   If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen.
+-   If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen.
 > [!IMPORTANT]
 > Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
@ -1006,8 +1005,8 @@ This policy controls how BitLocker-enabled system volumes are handled with the S
 **Reference**
-Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
+Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
-When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
+When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker.
 > [!WARNING]
 > Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
@ -1030,7 +1029,7 @@ This policy setting is used to establish an identifier that is applied to all dr
 These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
-An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
+An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field.
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
@ -1038,9 +1037,9 @@ The allowed identification field is used in combination with the **Deny write ac
 You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
-When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
+When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization.
-Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
+Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters.
 ### <a href="" id="bkmk-depopt2"></a>Prevent memory overwrite on restart
@ -1094,9 +1093,9 @@ A platform validation profile consists of a set of PCR indices that range from 0
 > [!NOTE]
 > Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-The following list identifies all of the PCRs available:
+The following list identifies all of the available PCRs:
-   PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions
+-   PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
 -   PCR 1: Platform and motherboard configuration and data.
 -   PCR 2: Option ROM code
 -   PCR 3: Option ROM data and configuration
@ -1141,7 +1140,7 @@ A platform validation profile consists of a set of PCR indices that range from 0
 > [!NOTE]
 > The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
-The following list identifies all of the PCRs available:
+The following list identifies all of the available PCRs:
 -   PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
 -   PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
@ -1179,11 +1178,11 @@ This policy setting determines what values the TPM measures when it validates ea
 This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
 > [!IMPORTANT]
-> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
+> This group policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
-A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
+A platform validation profile consists of a set of PCR indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
-The following list identifies all of the PCRs available:
+The following list identifies all of the available PCRs:
 -   PCR 0: Core System Firmware executable code
 -   PCR 1: Core System Firmware data
@ -1249,7 +1248,7 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
 ### <a href="" id="bkmk-depopt4"></a>Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
-This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive.
+This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive.
 |    | &nbsp; |
 |:---|:---|
@ -1313,7 +1312,7 @@ You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) o
 For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
-## Power management Group Policy settings: Sleep and Hibernate
+## Power management group policy settings: Sleep and Hibernate
 PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised.
@ -1337,7 +1336,7 @@ reduces the likelihood of BitLocker starting in recovery mode as a result of fir
 PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
-PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
+PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
 ## See also
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@ -1,6 +1,6 @@
 ---
 title: BitLocker How to deploy on Windows Server 2012 and later
-description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
+description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
 ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
 ms.reviewer: 
 ms.prod: m365-security
@ -22,28 +22,30 @@ ms.custom: bitlocker
 > Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
-This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server to install.
+This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
 ## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
-### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using Server Manager
+### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using server manager
-1.  Open Server Manager by selecting the Server Manager icon or running servermanager.exe.
+1.  Open server manager by selecting the server manager icon or running servermanager.exe.
 2.  Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-3.  With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown).
+3.  With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-4.  Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features Wizard** pane and select **Next** to continue.
+4.  Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-5.  Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install.
+5.  Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-6.  Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
+6.  Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
-7.  Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+ **Note**: Server roles and features are installed by using the same wizard in Server Manager.
 7.  Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools 
 ** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
-    > **Note:**      The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.
+    > **Note:**      The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-8.  Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete.
+8.  Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-9.  If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+9.  If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
 ### <a href="" id="bkmk-blinstallwps"></a>To install BitLocker using Windows PowerShell
-Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation.
+Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation.
 >**Note:**  You must restart the server to complete the installation of BitLocker.
@ -51,20 +53,20 @@ Windows PowerShell offers administrators another option for BitLocker feature in
 The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. 
-By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
+By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. This can be seen using the `-WhatIf` option in Windows PowerShell.
 ```powershell
 Install-WindowsFeature BitLocker -WhatIf
 ```
-The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
+The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
-To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command:
+To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
 ```powershell
 Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
 ```
-The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
+The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
 -   BitLocker Drive Encryption
 -   BitLocker Drive Encryption Tools
@ -74,7 +76,7 @@ The result of this command displays the following list of all the administration
 -   AD DS Tools
 -   AD DS and AD LDS Tools
-The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is:
+The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
 ```powershell
 Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
@ -84,13 +86,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
 ### Using the dism module to install BitLocker
-The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
+The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
 ```powershell
 Get-WindowsOptionalFeature -Online | ft
 ```
-From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
+From this output, we can see that there are three BitLocker-related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
 To install BitLocker using the `dism` module, use the following command:
@ -98,7 +100,7 @@ To install BitLocker using the `dism` module, use the following command:
 Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
 ```
-This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
+This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@ -20,7 +20,7 @@ ms.date: 02/28/2019
 ms.custom: bitlocker
 ---
-# BitLocker: How to enable Network Unlock
+# BitLocker: How to enable network unlock
 **Applies to**
@ -28,49 +28,48 @@ ms.custom: bitlocker
 - Windows 11
 - Windows Server 2016 and above
-This article for IT professionals describes how BitLocker Network Unlock works and how to configure it.
+This topic describes how BitLocker network unlock works and how to configure it.
-Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a domain environment by automatically unlocking operating system volumes when the system is rebooted and is connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
+Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
 Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
-Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can make software patches difficult to roll out to unattended desktops and remotely administered servers.
+Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
-Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned to the client in a secure session.
+## <a href="" id="bkmk-nunlockcorereqs"></a>Network unlock core requirements
-## <a href="" id="bkmk-nunlockcorereqs"></a>Network Unlock core requirements
+Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
-Network Unlock requires the following mandatory hardware and software configurations before it can automatically unlock domain-joined systems:
+-   Windows 8 or Windows Server 2012 as the current operating system.
 -   Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients.
 -   Network Unlock clients with a TPM chip and at least one TPM protector.
 -   A server running the Windows Deployment Services (WDS) role on any supported server operating system.
 -   BitLocker Network Unlock optional feature installed on any supported server operating system.
 -   A DHCP server, separate from the WDS server.
 -   Properly configured public/private key pairing.
 -   Network Unlock group policy settings configured.
-   You must be running at least Windows 8 or Windows Server 2012.
+The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
 -   Any supported operating system that uses UEFI DHCP drivers can be a Network Unlock client.
 -   Network Unlock clients must have a TPM (trusted platform module) chip and at least one TPM protector.
 -   You must have a server running the Windows Deployment Services (WDS) role on any supported server operating system.
 -   The BitLocker Network Unlock optional feature can be installed on any supported server operating system.
 -   You must have a DHCP server, separate from the WDS server.
 -   You must have a properly configured public/private key pairing.
 -   Network Unlock Group Policy settings must be configured.
 The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus. So confirm that the network stack has been enabled in the BIOS before you start the computer.
 > [!NOTE]
 > To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
 On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. 
-Use this configuration especially when you have multiple adapters and you want to configure one without DHCP, such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
+For network unlock to work reliably on computers running Windows 8 and later versions, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and must be used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because network unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
-On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This feature is a core requirement.
+The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
-Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS installation isn't required. But the WDS service must be running on the server.
+Network unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service must be running on the server.
-The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server that's running WDS. The network key is returned encrypted with its corresponding session key.
+The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
 ## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
-The unlock sequence starts on the client side, when the Windows boot manager detects the existence of the Network Unlock protector. It uses the DHCP driver in UEFI to get an IP address for IPv4. Then it broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described earlier. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
+The unlock sequence starts on the client side when the Windows boot manager detects the existence of network unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
-On the server side, the WDS server role has an optional plug-in component, like a PXE (preboot execution environment) provider. The plug-in component handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions. These restrictions require the IP address that's provided by the client in the Network Unlock request to belong to a permitted subnet in order to release the network key to the client. If the Network Unlock provider is unavailable, then BitLocker fails over to the next available protector to unlock the drive. So in a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
+On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming network unlock requests. You can also configure the provider with subnet restrictions, which would require that the IP address provided by the client in the network unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
-The server-side configuration to enable Network Unlock requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate. The configuration also requires the public key certificate to be distributed to the clients. 
+The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
 Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
@ -81,8 +80,8 @@ The Network Unlock process follows these phases:
 1.  The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
 2.  The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
 3.  The client computer broadcasts a vendor-specific DHCP request that contains: 
-    - A network key (a 256-bit intermediate key) that's encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server.
+    1.  A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the network unlock certificate from the WDS server.
-    - An AES-256 session key for the reply.
+    2.  An AES-256 session key for the reply.
 4.  The Network Unlock provider on the WDS server recognizes the vendor-specific request.
 5.  The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
 6.  The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
@ -90,13 +89,13 @@ The Network Unlock process follows these phases:
 8.  This combined key is used to create an AES-256 key that unlocks the volume.
 9.  Windows continues the boot sequence.
-## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
+## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure network unlock
-The following steps allow an administrator to configure Network Unlock in a domain where the functional level is at least Windows Server 2012.
+The following steps allow an administrator to configure network unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
 ### <a href="" id="bkmk-installwdsrole"></a>Install the WDS server role
-The BitLocker Network Unlock feature installs the WDS role if it's not already installed. If you want to install it separately before you install BitLocker Network Unlock, use Server Manager or Windows PowerShell. To install the role in Server Manager, select the **Windows Deployment Services** role.
+The BitLocker network unlock feature installs the WDS role if it is not already installed. If you want to install it separately before you install BitLocker network unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
 To install the role by using Windows PowerShell, use the following command:
@ -104,51 +103,51 @@ To install the role by using Windows PowerShell, use the following command:
 Install-WindowsFeature WDS-Deployment
 ```
-Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. Use the WDS management tool, `wdsmgmt.msc`. This tool starts the Windows Deployment Services Configuration Wizard.
+You must configure the WDS server so that it can communicate with DHCP (and optionally AD DS) and the client computer. You can configure using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration wizard.
 ### <a href="" id="bkmk-confirmwdsrunning"></a>Confirm the WDS service is running
-To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To confirm the service is running in the Services Management console, open the console by using `services.msc`. Then check the status of the WDS service.
+To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
-To confirm the service is running by using Windows PowerShell, use the following command:
+To confirm that the service is running using Windows PowerShell, use the following command:
 ```powershell
 Get-Service WDSServer
 ```
 ### <a href="" id="bkmk-installnufeature"></a>Install the Network Unlock feature
-To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature in the Server Manager console, select **BitLocker Network Unlock**.
+To install the network unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
 To install the feature by using Windows PowerShell, use the following command:
 ```powershell
 Install-WindowsFeature BitLocker-NetworkUnlock
 ```
-### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
+### <a href="" id="bkmk-createcerttmpl"><a/>Create the certificate template for Network Unlock
-A properly configured Active Directory Services Certification Authority can use the certificate template to create and issue Network Unlock certificates. To create a certificate template:
+A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
-1.  Open the certificate template snap-in (`certtmpl.msc`).
+1.  Open the Certificates Template snap-in (certtmpl.msc).
-2.  Locate the user template. Right-click the template name, and then select **Duplicate Template**.
+2.  Locate the User template, right-click the template name and select **Duplicate Template**.
-3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to **Windows Server 2012** and **Windows 8**, respectively. Ensure **Show resulting changes** is selected.
+3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
-4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for **Publish certificate in Active Directory**.
+4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
-5.  Select the **Request Handling** tab. In the **Purpose** drop-down menu, select **Encryption**. Ensure the **Allow private key to be exported** option is selected.
+5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
-6.  Select the **Cryptography** tab. Set the **Minimum key size** to **2048**. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.)
+6.  Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.)
-7.  Select **Requests must use one of the following providers**. Then clear all options except for your selected cryptography provider, such as the **Microsoft Software Key Storage Provider**.
+7.  Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as **Microsoft Software Key Storage Provider**.
-8.  Select the **Subject Name** tab. Select **Supply in the request**. If the certificate templates dialog box appears, select **OK**.
+8.  Select the **Subject Name** tab. Select **Supply in the request**. Click **OK** if the certificate templates pop-up dialog appears.
-9.  Select the **Issuance Requirements** tab. Then select both **CA certificate manager approval** and **Valid existing certificate**.
+9.  Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
-10. Select the **Extensions** tab. Then select **Application Policies** > **Edit**.
+10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
-11. In the **Edit Application Policies Extension** dialog box, select **Client Authentication**, **Encrypting File System**, and **Secure Email**. Then choose **Remove**.
+11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
-12. In the **Edit Application Policies Extension** dialog box, select **Add**.
+12. On the **Edit Application Policies Extension** dialog box, select **Add**.
-13. In the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided, and then select **OK** to create the BitLocker Network Unlock application policy.
+13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
-    -   **Name**: **BitLocker Network Unlock**
+    -   **Name:** **BitLocker Network Unlock**
-    -   **Object Identifier**: **1.3.6.1.4.1.311.67.1.1**
+    -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
-14. Select the newly created **BitLocker Network Unlock** application policy, and then select **OK**.
+14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**.
-15. With the **Extensions** tab still open, select **Edit Key Usage Extension**, and then select **Allow key exchange only with key encryption (key encipherment)**. Then select **Make this extension critical**.
+15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
-17. Select **OK** to complete configuration of the template.
+17. Click **OK** to complete configuration of the template.
 To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@ -159,7 +158,6 @@ After you add the Network Unlock template to the certificate authority, you can
 Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
 To enroll a certificate from an existing certificate authority:
 1.  On the WDS server, open Certificate Manager by using `certmgr.msc`.
 2.  Under **Certificates - Current User**, right-click **Personal**.
 3.  Select **All Tasks** > **Request New Certificate**.
@ -170,12 +168,14 @@ To enroll a certificate from an existing certificate authority:
 7.  Create the certificate. Ensure the certificate appears in the **Personal** folder.
 8.  Export the public key certificate for Network Unlock:
-    1.  Create a *.cer* file by right-clicking the previously created certificate and choosing **All Tasks** > **Export**.
+    1.  Create a .cer file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
    2.  Select **No, do not export the private key**.
-    3.  Select **DER encoded binary X.509**, and then finish exporting the certificate to a file.
+    3.  Select **DER encoded binary X.509** and complete exporting the certificate to a file.
-    4.  Give the file a name, such as *BitLocker-NetworkUnlock.cer*.
+    4.  Give the file a name such as BitLocker-NetworkUnlock.cer.
-9.  Export the public key with a private key for Network Unlock:
+
-    1.  Create a *.pfx* file by right-clicking the previously created certificate. Then choose **All Tasks** > **Export**.
+9.  Export the public key with a private key for Network Unlock.
    1.  Create a .pfx file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
    2.  Select **Yes, export the private key**.
    3.  Complete the steps to create the *.pfx* file.
@ -189,7 +189,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=
 Here's a `certreq` example:
-1.  Create a text file that has an *.inf* extension. For example, *notepad.exe* *BitLocker-NetworkUnlock.inf*.
+1.  Create a text file with an .inf extension, for example, notepad.exe BitLocker-NetworkUnlock.inf.
 2.  Add the following contents to the previously created file:
    ```ini
@ -216,60 +216,56 @@ Here's a `certreq` example:
    ```cmd
    certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
    ```
-
+4.  Verify that certificate was properly created by the previous command by confirming that the .cer file exists.
-4.  Verify the previous command properly created the certificate by confirming the *.cer* file exists.
+5.  Launch Certificates - Local Machine by running **certlm.msc**.
-5.  Launch **Certificates - Local Machine** by running `certlm.msc`.
+6.  Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file.
 6.  Create a *.pfx* file by opening the *Certificates – Local Computer\\Personal\\Certificates* path in the navigation pane. Right-click the previously imported certificate, and then select **All Tasks** > **Export**. Follow through the steps to create the *.pfx* file.
 ### <a href="" id="bkmk-deploycert"></a>Deploy the private key and certificate to the WDS server
 Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
-1.  On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-in. When you're prompted, select the computer account and local computer.
+1.  On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
-2.  Right-click **Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock**, and then choose **All Tasks** > **Import**.
+2.  Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item -, select **All Tasks**, and then select **Import**.
-3.  In the **File to Import** dialog box, choose the *.pfx* file that you created previously.
+3.  In the **File to Import** dialog, choose the .pfx file created previously.
-4.  Enter the password that you used to create the *.pfx* file, and finish the steps.
+4.  Enter the password used to create the .pfx and complete the wizard.
-### Configure Group Policy settings for Network Unlock
+### Configure group policy settings for network unlock
-You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by using the Network Unlock key. Find Group Policy settings for BitLocker in *\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption* by using the Local Group Policy Editor or the MMC.
+With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
-To enable the Group Policy setting that's required to configure Network Unlock:
+The following steps describe how to enable the group policy setting that is a requirement for configuring network unlock.
 1.  Open Group Policy Management Console (`gpmc.msc`).
 2.  Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
 3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
-To deploy the required Group Policy setting:
+The following steps describe how to deploy the required group policy setting:
 > [!NOTE]
-> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
+> The group policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
 1.  Copy the *.cer* file that you created for Network Unlock to the domain controller.
 2.  On the domain controller, open Group Policy Management Console (`gpmc.msc`).
 3.  Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
 4.  Deploy the public certificate to clients:
-
+    1.  Within group policy management console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
-    1.  In Group Policy Management Console, go to *Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate*.
+    2.  Right-click the folder and select **Add Network Unlock Certificate**.
-    2.  Right-click the folder, and then choose **Add Network Unlock Certificate**.
+    3.  Follow the wizard steps and import the .cer file that was copied earlier.
    3.  Follow the steps and import the *.cer* file that you copied earlier.
    > [!NOTE]
    > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer.
 5. Reboot the clients after you deploy the Group Policy.
   > [!NOTE]
-   > The **Network (Certificate Based)** protector is added only after a reboot where the policy is enabled and a valid certificate is present in the FVE_NKP store.
+   > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
 ### Subnet policy configuration files on the WDS server (optional)
-By default, the server unlocks clients that have the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP. You can create a subnet policy configuration file on the WDS server to limit the subnets that Network Unlock clients can use for unlocking.
+By default, all clients with the correct network unlock certificate and valid Network Unlock protectors that have wired access to a network unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the network unlock clients can use to unlock.
-The configuration file, called *bde-network-unlock.ini*, must be located in the same directory as the Network Unlock provider dynamic-link library (*%windir%\System32\Nkpprov.dll*). The configuration file applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, then the provider fails and stops responding to requests.
+The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
-The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. You can then use the named subnets to specify restrictions in certificate subsections. 
+The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name–value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
 Subnets are defined as simple name-value pairs, in the common INI format. In this format, each subnet has its own line. The name is on the left of the equals sign. The subnet on the right of the equals sign is a Classless Interdomain Routing (CIDR) address or range. The keyword `ENABLED` is disallowed for subnet names.
 ```ini
 [SUBNETS]
@ -278,19 +274,13 @@ SUBNET2=10.185.252.200/28
 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
 SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
 ```
-
+Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
 Following the `[SUBNETS]` section are sections for each Network Unlock certificate. A certificate is identified by the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you can unlock by using that certificate.
 > [!NOTE]
-> When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as valid. The spaces will cause the subnet configuration to fail.
+> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
-Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate. 
+Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every network unlock certificate on the server, and an explicit allowed list set for each certificate section.
-
+Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
 So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock certificate on the server. And you must add an explicit allow list set for each certificate section.
 Create subnet lists by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that the list specifies. 
 To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by using a prepended semicolon.
 ```ini
 [2158a767e1c14e88e27a4c0aee111d2de2eafe60]
@ -305,29 +295,30 @@ To disallow the use of a certificate altogether, add a `DISABLED` line to its su
 ## <a href="" id="bkmk-turnoffnetworkunlock"></a>Turn off Network Unlock
-To turn off the unlock server, you can unregister the PXE provider from the WDS server or uninstall it altogether. However, to stop clients from creating Network Unlock protectors, you should disable the **Allow Network Unlock at startup** Group Policy setting. When you disable this policy setting on client computers, any Network Unlock key protectors on the computer are deleted. Alternatively, you can delete the BitLocker Network Unlock certificate policy on the domain controller to accomplish the same task for an entire domain.
+
 To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
 > [!NOTE]
-> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as an error. It's not a supported or recommended method for turning off the Network Unlock server.
+> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server.
 ## <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
-To update the certificates that Network Unlock uses, administrators need to import or generate the new certificate for the server. Then they must update the Network Unlock certificate Group Policy setting on the domain controller.
+To update the certificates used by network unlock, administrators need to import or generate the new certificate for the server and then update the network unlock certificate group policy setting on the domain controller.
 > [!NOTE]
 > Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
 ## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
-To troubleshoot Network Unlock problems, begin by verifying the environment. Often, a small configuration issue is the root cause of the failure. Verify these items:
+Troubleshooting network unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
- Client hardware is based on UEFI and uses firmware version 2.3.1, and the UEFI firmware is in native mode and has no compatibility support module (CSM) for BIOS mode enabled. Verify this configuration by ensuring that the firmware has no enabled option such as **Legacy mode** or **Compatibility mode** and that the firmware doesn't appear to be in a BIOS-like mode.
+- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
 - All required roles and services are installed and started.
- Public and private certificates have been published and are in the proper certificate containers. Verify the presence of the Network Unlock certificate by using Microsoft Management Console (*MMC.exe*) on the WDS server. The certificate snap-ins for the local computer should be enabled. Verify the client certificate by checking the registry key *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* on the client computer.
+- Public and private certificates have been published and are in the proper certificate containers. The presence of the network unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
- Group Policy for Network Unlock is enabled and linked to the appropriate domains.
+- Group policy for network unlock is enabled and linked to the appropriate domains.
- Group Policy is reaching the clients properly. Verify this functionality by using the *GPRESULT.exe* utility or the *RSOP.msc* utility.
+- Verify whether group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
- The clients were rebooted after the policy was applied.
+- Verify whether the clients were rebooted after applying the policy.
- The **Network (Certificate Based)** protector is listed on the client. Check for this protector by using either `manage-bde` or Windows PowerShell cmdlets. For example, the following command lists the key protectors that are currently configured on drive C on the local computer.
+- Verify whether the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
  ```powershell
  manage-bde -protectors -get C:
@ -350,7 +341,6 @@ Gather the following files to troubleshoot BitLocker Network Unlock.
    1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
    1. In the right pane, select **Enable Log**.
 - The DHCP subnet configuration file (if one exists).
 - The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
 - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
@ -366,12 +356,12 @@ Your system must meet these requirements:
 Follow these steps to configure Network Unlock on these older systems.
-1.  [Install the WDS server role.](#bkmk-installwdsrole)
+1.  [Install the WDS Server role](#bkmk-installwdsrole)
-2.  [Confirm the WDS service is running.](#bkmk-confirmwdsrunning)
+2.  [Confirm the WDS Service is running](#bkmk-confirmwdsrunning)
-3.  [Install the Network Unlock feature.](#bkmk-installnufeature)
+3.  [Install the Network Unlock feature](#bkmk-installnufeature)
-4.  [Create the Network Unlock certificate.](#bkmk-createcert)
+4.  [Create the Network Unlock certificate](#bkmk-createcert)
-5.  [Deploy the private key and certificate to the WDS server.](#bkmk-deploycert)
+5.  [Deploy the private key and certificate to the WDS server](#bkmk-deploycert)
-6.  Configure registry settings for Network Unlock:
+6.  Configure registry settings for network unlock:
    Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article.
@ -387,7 +377,7 @@ Follow these steps to configure Network Unlock on these older systems.
    ```
 7.  Set up a TPM protector on the clients.
-8.  Reboot the clients to add the **Network (Certificate Based)** protector.
+8.  Reboot the clients to add the Network (certificate based) protector.
 ## See also
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@ -21,18 +21,14 @@ Sometimes, following a crash, you might be unable to successfully boot into your
 If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
 > [!NOTE]
-> Only try these steps after you have restarted your device at least once.
+> Try these steps only after you have restarted your device at least once.
-1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**.
+1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**.
-1. On the next screen, select **Troubleshoot**.
+2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
-1. On the Troubleshoot screen, select **Advanced options**.
+3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
-1. On the Advanced options screen, select **Command prompt**.
+4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
-1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
+5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system.
 1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
 1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@ -28,7 +28,7 @@ ms.custom: bitlocker
 - Windows 11
 - Windows Server 2016 and above
-This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
+This topic describes how to use the BitLocker Recovery Password Viewer.
 The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
@ -38,7 +38,7 @@ To complete the procedures in this scenario:
 -   You must have domain administrator credentials.
 -   Your test computers must be joined to the domain.
-   On the test computers, BitLocker must have been turned on after joining the domain.
+-   On the domain-joined test computers, BitLocker must have been turned on.
 The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@ -18,12 +18,12 @@ ms.custom: bitlocker
 # BitLocker cannot encrypt a drive: known issues
-This article describes common issues that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
+This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
 > [!NOTE]
-> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
+> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
-## Error 0x80310059: BitLocker Drive Encryption is already performing an operation on this drive
+## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive
 When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following:
@ -31,7 +31,7 @@ When you turn on BitLocker Drive Encryption on a computer that is running Window
 ### Cause
-This issue may be caused by settings that are controlled by Group Policy Objects (GPOs).
+This issue may be caused by settings that are controlled by group policy objects (GPOs).
 ### Resolution
@ -49,7 +49,7 @@ To resolve this issue, follow these steps:
   - **OSPlatformValidation\_UEFI**
   - **PlatformValidation**
-1. Exit Registry Editor, and turn on BitLocker Drive Encryption again.
+1. Exit registry editor, and turn on BitLocker drive encryption again.
 ## "Access is denied" message when you try to encrypt removable drives
@ -69,7 +69,7 @@ You receive this message on any computer that runs Windows 10 version 1709 or ve
 ### Cause
-The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
+The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
 To verify that this issue has occurred, follow these steps:
@ -89,7 +89,7 @@ To verify that this issue has occurred, follow these steps:
   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
-   If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
+   If you see NT AUTHORITY\INTERACTIVE (as highlighted) in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@ -18,14 +18,14 @@ ms.custom: bitlocker
 # BitLocker cannot encrypt a drive: known TPM issues
-This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
+This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
 > [!NOTE]
 > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
 ## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
-When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
+When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
 ### Cause
@ -42,13 +42,12 @@ To resolve this issue, follow these steps:
   $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
   if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
   ```
-
+2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8
-1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
+3. Retry starting BitLocker drive encryption.
 1. Try again to start BitLocker Drive Encryption.
 ## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
-You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
+You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
 ### Cause
@ -59,11 +58,11 @@ The TPM is locked out.
 To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
 1. Restart the device, and change the BIOS configuration to disable the TPM.
-1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following:
+2. Restart the device again, and return to the TPM management console. Following message is displayed:
   > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
-1. Restart the device, and change the BIOS configuration to enable the TPM.
+3. Restart the device, and change the BIOS configuration to enable the TPM.
-1. Restart the device, and return to the TPM management console.
+4. Restart the device, and return to the TPM management console.
 If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
@ -72,11 +71,11 @@ If you still cannot prepare the TPM, clear the existing TPM keys. To do this, fo
 ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
-You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
+You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
 ### Cause
-The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
+The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run.
 This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
@ -84,7 +83,7 @@ This issue appears to be limited to computers that run versions of Windows that
 To verify that you have correctly identified this issue, use one of the following methods:
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed.
+- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed.
 - Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
@ -95,13 +94,13 @@ To verify that you have correctly identified this issue, use one of the followin
   In this command, *ComputerName* is the name of the affected computer.
-1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
+1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
 ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
-Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
+Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.  
-You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
+You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
 > 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
@ -109,7 +108,7 @@ You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformati
 ### Cause
-The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set.
+The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
 ### Resolution
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@ -18,13 +18,13 @@ ms.custom: bitlocker
 # BitLocker configuration: known issues
-This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues.
+This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
 ## BitLocker encryption is slower in Windows 10 and Windows 11
 In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
-To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*.
+To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*.
 > [!IMPORTANT]
 > To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
@ -41,7 +41,7 @@ After Windows 7 was released, several other areas of BitLocker were improved:
 - **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
-   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
+   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
 - **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
   -  BitLocker Wizard
@ -90,12 +90,12 @@ This issue occurs regardless of any of the following variations in the environme
 - Whether the VMs are generation 1 or generation 2.
 - Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
-In the domain controller Application log, the VSS event source records event ID 8229:
+In the domain controller application log, the VSS event source records event ID 8229:
 > ID: 8229  
 > Level: Warning  
 > ‎Source: VSS  
-> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
+> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
 >  
 > Changes that the writer made to the writer components while handling the event will not be available to the requester.  
 >  
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@ -39,7 +39,7 @@ If you do not have a clear trail of events or error messages to follow, other ar
 - [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
 - [Review your BitLocker policy configuration](#policy)
-For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
+For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
 ## <a id="issue-1"></a>Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
@ -49,7 +49,7 @@ Event ID 853 can carry different error messages, depending on the context. In th
 ### Cause
-The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM.
+The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
 ### Resolution
@ -70,9 +70,9 @@ In this case, you see event ID 853, and the error message in the event indicates
 ### Cause
-During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
+During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
-To avoid this situation, the provisioning process stops if it detects removable bootable media.
+To avoid this situation, the provisioning process stops if it detects a removable bootable media.
 ### Resolution
@ -90,7 +90,7 @@ The event information resembles the following:
 Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
-The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
+The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
 If WinRE is not available on the device, provisioning stops.
@ -104,7 +104,7 @@ The procedures described in this section depend on the default disk partitions t
 ![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
-To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
+To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
 ```console
 diskpart 
@ -113,7 +113,7 @@ list volume
 ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
-If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
+If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager):
 ![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
@ -124,7 +124,6 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win
 ```console
 reagentc /info
 ```
 The output of this command resembles the following.
 ![Output of the reagentc /info command.](./images/4509193-en-1.png)
@ -137,13 +136,13 @@ reagentc /enable
 #### Step 3: Verify the Windows Boot Loader configuration
-If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
+If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
 ```console
 bcdedit /enum all
 ```
-The output of this command resembles the following.
+The output of this command resembles the following:
 :::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
@ -159,11 +158,11 @@ The event information resembles the following:
 ### Cause
-The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS.
+The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS.
 ### Resolution
-To verify the BIOS mode, use the System Information app. To do this, follow these steps:
+To verify the BIOS mode, use the System Information application. To do this, follow these steps:
 1. Select **Start**, and enter **msinfo32** in the **Search** box.
@ -174,7 +173,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
   > [!NOTE]
-   > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
+   > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device.
 ## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
@ -184,11 +183,11 @@ You receive an error message that resembles the following:
 ### Cause
-A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
+A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
 ### Resolution
-You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps:
+You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps:
 #### Step 1: Verify the PCR validation profile of the TPM
@ -198,17 +197,17 @@ To verify that PCR 7 is in use, open an elevated Command Prompt window and run t
 Manage-bde -protectors -get %systemdrive%
 ```
-In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
+In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
 ![Output of the manage-bde command.](./images/4509199-en-1.png)
-If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
+If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on.
 ![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
-#### 2. Verify the Secure Boot state
+#### 2. Verify the secure boot state
-To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
+To verify the secure boot state, use the System Information application. To do this, follow these steps:
 1. Select **Start**, and enter **msinfo32** in the **Search** box.
@ -229,7 +228,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
 >
 > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."  
 >  
-> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."  
+> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."  
 >  
 > If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."  
@ -237,7 +236,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
 In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
-The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
+The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
 > Event ID:846
 > 
@ -270,7 +269,7 @@ The issue affects Windows 11 and Windows 10 version 1809.
 To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
-## <a id="issue-5"></a>Error message: There are conflicting Group Policy settings for recovery options on operating system drives
+## <a id="issue-5"></a>Error message: There are conflicting group policy settings for recovery options on operating system drives
 You receive a message that resembles the following:
@ -278,13 +277,13 @@ You receive a message that resembles the following:
 ### Resolution
-To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
+To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
 For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
 ## <a id="policy"></a>Review your BitLocker policy configuration
-For information about how to use policy together with BitLocker and Intune, see the following resources:
+For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
 - [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
 - [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
@ -302,7 +301,7 @@ Intune offers the following enforcement types for BitLocker:
 If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
-If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
+If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following:
 ![Intune policy settings.](./images/4509186-en-1.png)
@ -320,7 +319,7 @@ The OMA-URI references for these settings are as follows:
 > Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
 > [!NOTE]
-> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.  
+> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard.  
 If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.  
@ -339,11 +338,11 @@ The OMA-URI references for these settings are as follows:
   Value: **1**  
 > [!NOTE]
-> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles.
+> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
 ## Verifying that BitLocker is operating correctly
-During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
+During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
 ![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@ -20,7 +20,7 @@ ms.custom: bitlocker
 # BitLocker recovery: known issues
-This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
+This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
 > [!NOTE]
 > In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
@ -31,7 +31,7 @@ Windows prompts you for a BitLocker recovery password. However, you did not conf
 ### Resolution
-The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
+The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
 - [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
 ## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
-You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
+You have a tablet or slate device, and you try to test BitLocker recovery by running the following command:
 ```console
 Manage-bde -forcerecovery
@ -73,7 +73,7 @@ However, after you enter the recovery password, the device cannot start.
 > [!IMPORTANT]
 > Tablet devices do not support the **manage-bde -forcerecovery** command.
-This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
+This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
 If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
@ -103,7 +103,7 @@ To resolve the restart loop, follow these steps:
 ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
-You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
+You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
 You experience one or more of the following symptoms on the Surface device:
@ -115,14 +115,14 @@ You experience one or more of the following symptoms on the Surface device:
 This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure Boot is turned off.
+- Secure boot is turned off.
- PCR values have been explicitly defined, such as by Group Policy.
+- PCR values have been explicitly defined, such as by group policy.
 Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
 ### Resolution
-To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
+To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
 ```console
 manage-bde.exe -protectors -get <OSDriveLetter>:
@ -170,7 +170,7 @@ To do this, follow these steps:
 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
 > [!NOTE]
-> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
 #### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
@ -193,9 +193,9 @@ To recover data from your Surface device if you cannot start Windows, follow ste
 #### Step 3: Restore the default PCR values
-To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
+To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values.
-To enable Secure Boot on a Surface device, follow these steps:
+To enable secure boot on a Surface device, follow these steps:
 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
@ -212,6 +212,7 @@ To enable Secure Boot on a Surface device, follow these steps:
 1. Open an elevated PowerShell window, and run the following cmdlet:  
   ```powershell
   Resume-BitLocker -MountPoint "<DriveLetter>:"
   ```
@ -252,7 +253,6 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
   ```
   In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
 1. Install the Surface device driver and firmware updates.
@ -263,7 +263,7 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
   Resume-BitLocker -MountPoint "<DriveLetter>:"
   ```
-To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
 ## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
@ -341,5 +341,5 @@ For more information about this technology, see [Windows Defender System Guard:
 To resolve this issue, do one of the following:
- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
+- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
 - Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@ -18,17 +18,17 @@ ms.custom: bitlocker
 # BitLocker and TPM: other known issues
-This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues.
+This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
-## Azure AD: Windows Hello for Business and single sign-on do not work
+## Azure AD: Windows Hello for Business and single sign-on don't work
-You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms:
+You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms:
- Windows Hello for Business does not work.
+- Windows Hello for Business doesn't work.
 - Conditional access fails.
- Single sign-on (SSO) does not work.
+- Single sign-on (SSO) doesn't work.
-Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
+Additionally, the computer logs the following entry for Event ID 1026:
 > Log Name: System  
 > Source: Microsoft-Windows-TPM-WMI  
@ -46,27 +46,27 @@ Additionally, the computer logs an entry for Event ID 1026, which resembles the
 ### Cause
-This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.  
+This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.  
-Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).  
+Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).  
 ### Resolution
-To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
+To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication.
 To resolve this issue, follow these steps to troubleshoot the TPM:
 1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
 1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.  
-1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
+1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
-1. Contact the hardware vendor to determine whether there is a known fix for the issue.
+1. Contact the hardware vendor to determine whether there's a known fix for the issue.
-1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
+1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
   > [!WARNING]
   > Clearing the TPM can cause data loss.  
-## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
+## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
-You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
+You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message:
 > Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.  
 > HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY  
@ -83,26 +83,26 @@ These symptoms indicate that the TPM has hardware or firmware issues.
 To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.  
-If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
+If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
-## Devices do not join hybrid Azure AD because of a TPM issue
+## Devices don't join hybrid Azure AD because of a TPM issue
-You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail.
+You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail.
 To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
 - **AzureAdJoined: YES**
 - **DomainName: \<*on-prem Domain name*\>**
-If the value of **AzureADJoined** is **No**, the join failed.  
+If the value of **AzureADJoined** is **No**, the join operation failed.  
 ### Causes and Resolutions
-This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
+This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
 |Message |Reason | Resolution|
 | - | - | - |
-|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. |
+|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
 |TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
 |TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
 |NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@ -23,66 +23,66 @@ ms.date: 04/02/2019
 - Windows Server 2016
 - Azure Stack HCI
-Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
+Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
-By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+By offloading the cryptographic operations to a hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
-Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012.
+Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to encrypted hard drives without additional modification, beginning with Windows 8 and Windows Server 2012.
-Encrypted Hard Drives provide:
+Encrypted hard drives provide:
 -   **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
 -   **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
 -   **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
 -   **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
-Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
+Encrypted hard drives are supported natively in the operating system through the following mechanisms:
-   **Identification**: The operating system can identify that the drive is an Encrypted Hard Drive device type
+-   **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type.
-   **Activation**: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate
+-   **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate.
-   **Configuration**: The operating system can create and map volumes to ranges/bands as appropriate
+-   **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate.
-   **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
+-   **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE).
-   **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.
+-   **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience.
 >[!WARNING]
->Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
+>Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment.
 If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
 ## System Requirements
-To use Encrypted Hard Drives, the following system requirements apply:
+To use encrypted hard drives, the following system requirements apply:
-For an Encrypted Hard Drive used as a **data drive**:
+For an encrypted hard drive used as a **data drive**:
 -   The drive must be in an uninitialized state.
 -   The drive must be in a security inactive state.
-For an Encrypted Hard Drive used as a **startup drive**:
+For an encrypted hard drive used as a **startup drive**:
 -   The drive must be in an uninitialized state.
 -   The drive must be in a security inactive state.
 -   The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
-   The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
+-   The computer must have the compatibility support module (CSM) disabled in UEFI.
 -   The computer must always boot natively from UEFI.
 >[!WARNING]
->All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
+>All encrypted hard drives must be attached to non-RAID controllers to function properly.
 ## Technical overview
-Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
+Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
-## Configuring Encrypted Hard Drives as Startup drives
+## Configuring encrypted hard drives as startup drives
-Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include:
+Configuration of encrypted hard drives as startup drives is done using the same methods as standard hard drives. These methods include:
 -   **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
 -   **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work.
 -   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
 -   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work.
-## Configuring hardware-based encryption with Group Policy
+## Configuring hardware-based encryption with group policy
 There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
@ -90,22 +90,21 @@ There are three related Group Policy settings that help you manage how BitLocker
 - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
 - [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives)
-## Encrypted Hard Drive Architecture
+## Encrypted hard drive architecture
-Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).
+Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the data encryption key (DEK) and the authentication key (AK).
 The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.
-The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK.
+The AK is the key used to unlock data on the drive. A hash of the key is stored on the drive and requires confirmation to decrypt the DEK.
-When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data
+When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device.
 Encryption Key, read-write operations can take place on the device.
 When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
-## Re-configuring Encrypted Hard Drives
+## Re-configuring encrypted hard drives
-Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:
+Many encrypted hard drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:
 1.  Open Disk Management (diskmgmt.msc)
 2.  Initialize the disk and select the appropriate partition style (MBR or GPT)
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@ -50,7 +50,7 @@ This table includes all available attributes/elements for the **Log** element. T
 |Attribute/Element |Value type |Description |
 |----------|-----------|------------|
 |ProviderType |String |This is always **EDPAudit**. |
-|LogType |String |Includes:<ul><li>**DataCopied.** Work data is copied or shared to a personal location.</li><li>**ProtectionRemoved.** WIP protection is removed from a Work-defined file.</li><li>**ApplicationGenerated.** A custom audit log provided by an app.</li></ul>|
+|LogType |String |Includes:<ul><li>**DataCopied.** Work data is copied or shared to a personal location.</li><li>**ProtectionRemoved.** Windows Information Protection is removed from a Work-defined file.</li><li>**ApplicationGenerated.** A custom audit log provided by an app.</li></ul>|
 |TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. |
 |Policy |String |How the work data was shared to the personal location:<ul><li>**CopyPaste.** Work data was pasted into a personal location or app.</li><li>**ProtectionRemoved.** Work data was changed to be unprotected.</li><li>**DragDrop.** Work data was dropped into a personal location or app.</li><li>**Share.** Work data was shared with a personal location or app.</li><li>**NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).</li></ul> |
 |Justification |String |Not implemented. This will always be either blank or NULL.<br><br>**Note**<br>Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
@ -160,7 +160,7 @@ Here are a few examples of responses from the Reporting CSP.
 ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
-Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
+Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer.
 **To view the WIP events in the Event Viewer**
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@ -65,12 +65,12 @@ The **Configure Windows Information Protection settings** page appears, where yo
 ## Add app rules to your policy
-During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
 The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
 >[!IMPORTANT]
->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 ### Add a store app rule to your policy
 For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
@ -278,7 +278,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
    The file is imported and the apps are added to your **App Rules** list.
 ### Exempt apps from WIP restrictions
-If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
 **To exempt a store app, a desktop app, or an AppLocker policy file app rule**
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@ -37,7 +37,7 @@ Apps can be enlightened or unenlightened:
    -   Windows **Save As** experiences only allow you to save your files as enterprise.
- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. 
+- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. 
 ## List of enlightened Microsoft apps
 Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@ -75,10 +75,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
 - Microsoft To Do
 > [!NOTE]
-> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
+> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
 ## List of WIP-work only apps from Microsoft
-Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
+Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
 - Skype for Business
@ -102,7 +102,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
 |                  PowerPoint Mobile                   |                                                                                                                                   **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app                                                                                                                                    |
 |                       OneNote                        |                                                                                                                                     **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app                                                                                                                                     |
 |              Outlook Mail and Calendar               |                                                                                                                               **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app                                                                                                                                |
-| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
+| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
 |                   Microsoft Photos                   |                                                                                                                                     **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app                                                                                                                                     |
 |                     Groove Music                     |                                                                                                                                       **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app                                                                                                                                        |
 |                Microsoft Movies & TV                 |                                                                                                                                       **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app                                                                                                                                        |
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@ -22,7 +22,7 @@ ms.localizationpriority: medium
 **Applies to:**
 -   Windows 10, version 1607 and later
-This following list provides info about the most common problems you might encounter while running WIP in your organization.
+This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
 - **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
  - **How it appears**:
@ -33,12 +33,12 @@ This following list provides info about the most common problems you might encou
    We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
- **Limitation**: Direct Access is incompatible with WIP.
+- **Limitation**: Direct Access is incompatible with Windows Information Protection.
-  - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
+  - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
  - **Workaround**: We recommend that you use VPN for client access to your intranet resources.
    > [!NOTE]
-    > VPN is optional and isn’t required by WIP.
+    > VPN is optional and isn’t required by Windows Information Protection.
 - **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
  - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
@ -48,7 +48,7 @@ This following list provides info about the most common problems you might encou
  - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
  - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
- **Limitation**: WIP is designed for use by a single user per device.
+- **Limitation**: Windows Information Protection is designed for use by a single user per device.
  - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.
  - **Workaround**: We recommend only having one user per managed device.
@ -67,14 +67,14 @@ This following list provides info about the most common problems you might encou
 - **Limitation**: Changing your primary Corporate Identity isn’t supported.
  - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
-  - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
+  - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP.
+- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection.
  - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
  - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
    > [!NOTE]
-    > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
+    > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
 - **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
  - **How it appears**: 
@ -83,23 +83,23 @@ This following list provides info about the most common problems you might encou
    - Local **Work** data copied to the WIP-managed device remains **Work** data.
    - **Work** data that is copied between two apps in the same session remains ** data.
-  - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
+  - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default.
 - **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
  - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
  - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
 - **Limitation**: ActiveX controls should be used with caution.
-  - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
+  - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection.
  - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
    For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP.
+- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection.
-  - **How it appears**:Trying to save or transfer WIP files to ReFS will fail.
+  - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
  - **Workaround**: Format drive for NTFS, or use a different drive.
- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
+- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
  - AppDataRoaming
  - Desktop
  - StartMenu
@ -116,10 +116,10 @@ This following list provides info about the most common problems you might encou
  <br/>
-  - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
+  - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
  - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders.  You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
-    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline.
+    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
    For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
@ -134,7 +134,7 @@ This following list provides info about the most common problems you might encou
  - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
  - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.
+- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection.
  - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
  - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
@ -150,6 +150,6 @@ This following list provides info about the most common problems you might encou
 > [!NOTE]
 >
-> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. 
+> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. 
 > 
 > - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@ -27,7 +27,7 @@ This list provides all of the tasks and settings that are required for the opera
 |Task|Description|
 |----|-----------|
 |Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
 |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
 |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
 |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@ -31,14 +31,14 @@ With the increase of employee-owned devices in the enterprise, there’s also an
 Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
 >[!IMPORTANT]
->While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
+>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
 ## Video: Protect enterprise data from being accidentally copied to the wrong place
 > [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
 ## Prerequisites
-You’ll need this software to run WIP in your enterprise:
+You’ll need this software to run Windows Information Protection in your enterprise:
 |Operating system | Management solution |
 |-----------------|---------------------|
@ -70,7 +70,7 @@ After the type of protection is set, the creating app encrypts the document so t
 Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
 ## Benefits of WIP
-WIP provides:
+Windows Information Protection provides:
 - Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
 - Additional data protection for existing line-of-business apps without a need to update the apps.
@ -79,12 +79,12 @@ WIP provides:
 - Use of audit reports for tracking issues and remedial actions.
- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
+- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
 ## Why use WIP?
-WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-   **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+-   **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
 -   **Manage your enterprise documents, apps, and encryption modes.**
@ -99,21 +99,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-    -   **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+    -   **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
-        Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+        Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
-    -   **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+    -   **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-    -   **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+    -   **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-   **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+-   **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
    >[!NOTE]
    >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
 ## How WIP works
-WIP helps address your everyday challenges in the enterprise. Including:
+Windows Information Protection helps address your everyday challenges in the enterprise. Including:
 - Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
@ -124,7 +124,7 @@ WIP helps address your everyday challenges in the enterprise. Including:
 - Helping control the network and data access and data sharing for apps that aren’t enterprise aware
 ### Enterprise scenarios
-WIP currently addresses these enterprise scenarios:
+Windows Information Protection currently addresses these enterprise scenarios:
 - You can encrypt enterprise data on employee-owned and corporate-owned devices.
 - You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
@ -134,21 +134,21 @@ WIP currently addresses these enterprise scenarios:
 - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
 ### <a href="" id="bkmk-modes"></a>WIP-protection modes
-Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
+Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
+Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-You can set your WIP policy to use 1 of 4 protection and management modes:
+You can set your Windows Information Protection policy to use 1 of 4 protection and management modes:
 |Mode|Description|
 |----|-----------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
+|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. |
+|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. |
 ## Turn off WIP
 You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@ -25,7 +25,7 @@ ms.reviewer:
 >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. 
+We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically. 
 ## Recommended Enterprise Cloud Resources
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@ -29,7 +29,7 @@ Use Task Manager to check the context of your apps while running in Windows Info
 ## Viewing the Enterprise Context column in Task Manager
 You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
-1. Make sure that you have an active WIP policy deployed and turned on in your organization.
+1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization.
 2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
@ -50,7 +50,7 @@ The **Enterprise Context** column shows you what each app can do with your enter
 - **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
+- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components).
  > [!Important]
  > Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -78,12 +78,10 @@ sections:
      - question: |
          What is the WDAGUtilityAccount local account?
        answer: |
-          WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
+          WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
          **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
          We recommend that you don't modify this account.
      - question: |
          How do I trust a subdomain in my site list?
        answer: |
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@ -26,9 +26,9 @@ This topic provides links to articles with information about what's new in each
 ## The Long-Term Servicing Channel (LTSC)
-The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (SAC) releases.
+The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases.
-| LTSC release | Equivalent SAC release | Availability date |
+| LTSC release | Equivalent GA Channel release | Availability date |
 | --- | --- | --- |
 | Windows 10 Enterprise LTSC 2015  | Windows 10, Version 1507 | 7/29/2015 |
 | Windows 10 Enterprise LTSC 2016  | Windows 10, Version 1607 | 8/2/2016 |
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@ -201,7 +201,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
 - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off.
- You can set up Windows Hello from lock screen for MSA accounts. We've made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
 - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider.
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@ -139,7 +139,7 @@ Windows Hello enhancements include:
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
 - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
 - With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
 - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
 - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@ -145,7 +145,7 @@ The OS uninstall period is a length of time that users are given when they can o
 - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
 - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
 - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
 - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
 - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@ -32,7 +32,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
 - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
 ### Windows Defender System Guard