Merge branch 'main' into main

.openpublishing.redirection.json

@@ -6538,7 +6538,7 @@
     {
       "source_path": "windows/access-protection/access-control/dynamic-access-control.md",
       "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/access-protection/access-control/local-accounts.md",
@@ -6635,6 +6635,86 @@
       "redirect_url": "/education/windows/switch-to-pro-education",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/client-management/administrative-tools-in-windows-10.md",
+      "redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/change-default-removal-policy-external-storage-media.md",
+      "redirect_url": "/windows/client-management/client-tools/change-default-removal-policy-external-storage-media",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/connect-to-remote-aadj-pc.md",
+      "redirect_url": "/windows/client-management/client-tools/connect-to-remote-aadj-pc",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md",
+      "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/manage-device-installation-with-group-policy.md",
+      "redirect_url": "/windows/client-management/client-tools/manage-device-installation-with-group-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/manage-settings-app-with-group-policy.md",
+      "redirect_url": "/windows/client-management/client-tools/manage-settings-app-with-group-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/mandatory-user-profile.md",
+      "redirect_url": "/windows/client-management/client-tools/mandatory-user-profile",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/new-policies-for-windows-10.md",
+      "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/quick-assist.md",
+      "redirect_url": "/windows/client-management/client-tools/quick-assist",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/windows-libraries.md",
+      "redirect_url": "/windows/client-management/client-tools/windows-libraries",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/windows-version-search.md",
+      "redirect_url": "/windows/client-management/client-tools/windows-version-search",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/manage-corporate-devices.md",
+      "redirect_url": "/windows/client-management/manage-windows-10-in-your-organization-modern-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md",
+      "redirect_url": "/azure/active-directory/fundamentals/active-directory-access-create-new-tenant",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/register-your-free-azure-active-directory-subscription.md",
+      "redirect_url": "/microsoft-365/compliance/use-your-free-azure-ad-subscription-in-office-365",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/appv-deploy-and-config.md",
+      "redirect_url": "/windows/application-management/app-v/appv-for-windows",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/client-management/diagnose-mdm-failures-in-windows-10.md",
+      "redirect_url": "/windows/client-management/mdm-collect-logs",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/client-management/mdm/policy-admx-backed.md",
       "redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider",
@@ -19313,22 +19393,22 @@
     {
       "source_path": "windows/deployment/update/change-history-for-update-windows-10.md",
       "redirect_url": "/windows/deployment/deploy-whats-new",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md",
       "redirect_url": "/windows/client-management/mdm/policy-csp-admx-wordwheel",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md",
       "redirect_url": "/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md",
       "redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md",
@@ -19338,7 +19418,7 @@
     {
       "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md",
       "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md",
@@ -19348,7 +19428,7 @@
     {
       "source_path": "windows/privacy/manage-windows-1709-endpoints.md",
       "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/privacy/manage-windows-1803-endpoints.md",
@@ -19772,7 +19852,7 @@
     },
     {
       "source_path": "windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md",
-      "redirect_url": "/windows/client-management/diagnose-mdm-failures-in-windows-10",
+      "redirect_url": "/windows/client-management/mdm-collect-logs",
       "redirect_document_id": false
     },
     {
@@ -20343,27 +20423,27 @@
     {
       "source_path": "windows/deployment/windows-autopatch/prepare/index.md",
       "redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/deploy/index.md",
       "redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/index.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md",
       "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md",
       "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md",
@@ -20378,7 +20458,7 @@
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md",
@@ -20428,12 +20508,12 @@
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md",
@@ -20463,17 +20543,17 @@
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md",
       "redirect_url": "/windows/configuration/provisioning-packages/provision-pcs-with-apps",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
@@ -20493,7 +20573,7 @@
     {
       "source_path": "windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md",
       "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard-protection-limits",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md",
@@ -20518,7 +20598,7 @@
     {
       "source_path": "windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md",
@@ -20533,92 +20613,92 @@
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md",
       "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md",
       "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/policy-ddf-file.md",
       "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/applocker-xsd.md",
       "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/vpnv2-profile-xsd.md",
       "redirect_url": "/windows/client-management/mdm/vpnv2-csp#profilexml-xsd-schema",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md",
       "redirect_url": "/windows/client-management/mdm/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/mdm/enterprisemodernappmanagement-xsd.md",
       "redirect_url": "/windows/client-management/mdm/enterprisemodernappmanagement-csp#enterprisemodernappmanagement-xsd",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "education/windows/education-scenarios-store-for-business.md",
@@ -20638,11 +20718,6 @@
     {
       "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
       "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
-      "redirect_document_id": true
-    },
-    {
-      "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
-      "redirect_url": "/windows/security",
       "redirect_document_id": false
     },
     {
@@ -20660,16 +20735,6 @@
       "redirect_url": "/windows/security",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
-      "redirect_url": "/windows/security",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
-      "redirect_url": "/windows/security",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md",
       "redirect_url": "/windows/security",
@@ -20734,11 +20799,11 @@
       "source_path": "windows/deployment/update/quality-updates.md",
       "redirect_url": "/windows/deployment/update/release-cycle",
       "redirect_document_id": false
-    },    
+    },
     {
       "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md",
       "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "store-for-business/sign-up-microsoft-store-for-business.md",

browsers/edge/docfx.json

@@ -56,7 +56,8 @@
         "claydetels19", 
         "jborsecnik",
         "tiburd",
-        "garycentric"
+        "garycentric",
+        "beccarobins"
       ]
     },
     "fileMetadata": {},

browsers/internet-explorer/docfx.json

@@ -47,7 +47,8 @@
         "claydetels19", 
         "jborsecnik",
         "tiburd",
-        "garycentric"
+        "garycentric",
+        "beccarobins"
       ]
     },
     "externalReference": [],

education/docfx.json

@@ -64,7 +64,8 @@
         "dstrome",
         "v-dihans",
         "garycentric",
-        "v-stsavell"
+        "v-stsavell",
+        "beccarobins"
       ]
     },
     "fileMetadata": {
@@ -81,4 +82,4 @@
     "dest": "education",
     "markdownEngineName": "markdig"
 }
-}
+}

education/includes/education-content-updates.md

@@ -2,6 +2,14 @@
 
 
 
+## Week of April 10, 2023
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 4/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
+
+
 ## Week of March 20, 2023
 
 
@@ -15,41 +23,3 @@
 | 3/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
 | 3/22/2023 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
 | 3/22/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-
-
-## Week of March 06, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 3/8/2023 | Change to Windows 10 Education from Windows 10 Pro | removed |
-| 3/8/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-| 3/8/2023 | Enable S mode on Surface Go devices for Education | removed |
-| 3/8/2023 | Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode | removed |
-| 3/8/2023 | Test Windows 10 in S mode on existing Windows 10 education devices | removed |
-| 3/9/2023 | [Windows for Education documentation](/education/windows/index) | modified |
-
-
-## Week of February 27, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 2/28/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified |
-| 2/28/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
-
-
-## Week of February 20, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 2/22/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
-| 2/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 2/22/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
-| 2/22/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
-| 2/22/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
-| 2/23/2023 | Education scenarios Microsoft Store for Education | removed |
-| 2/23/2023 | [Get and deploy Minecraft Education](/education/windows/get-minecraft-for-education) | modified |
-| 2/23/2023 | For IT administrators get Minecraft Education Edition | removed |
-| 2/23/2023 | For teachers get Minecraft Education Edition | removed |

education/windows/configure-aad-google-trust.md

@@ -1,7 +1,7 @@
 ---
 title: Configure federation between Google Workspace and Azure AD
 description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 02/24/2023
+ms.date: 04/04/2023
 ms.topic: how-to
 appliesto:
 ---
@@ -69,54 +69,60 @@ Now that the app is configured, you must enable it for the users in Google Works
 ## Configure Azure AD as a Service Provider (SP) for Google Workspace
 
 The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
-Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
+Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
 
 ```powershell
-Install-Module -Name MSOnline
-Import-Module MSOnline
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
+Install-Module Microsoft.Graph -Scope CurrentUser
+Import-Module Microsoft.Graph
 
-$DomainName = "<your domain name>"
+$domainId = "<your domain name>"
 
 $xml = [Xml](Get-Content GoogleIDPMetadata.xml)
 
 $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
 $issuerUri = $xml.EntityDescriptor.entityID
-$logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
-$LogOffUri = "https://accounts.google.com/logout"
-$brand = "Google Workspace Identity"
-Connect-MsolService
-$DomainAuthParams = @{
-    DomainName = $DomainName
-    Authentication = "Federated"
-    IssuerUri = $issuerUri
-    FederationBrandName = $brand
-    ActiveLogOnUri = $logOnUri
-    PassiveLogOnUri = $logOnUri
-    LogOffUri = $LogOffUri
-    SigningCertificate = $cert
-    PreferredAuthenticationProtocol = "SAMLP"
+$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
+$signoutUri = "https://accounts.google.com/logout"
+$displayName = "Google Workspace Identity"
+Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
+
+$domainAuthParams = @{
+  DomainId = $domainId
+  IssuerUri = $issuerUri
+  DisplayName = $displayName
+  ActiveSignInUri = $signinUri
+  PassiveSignInUri = $signinUri
+  SignOutUri = $signoutUri
+  SigningCertificate = $cert
+  PreferredAuthenticationProtocol = "saml"
+  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
 }
-Set-MsolDomainAuthentication @DomainAuthParams
+
+New-MgDomainFederationConfiguration @domainAuthParams
 ```
 
 To verify that the configuration is correct, you can use the following PowerShell command:
 
 ```powershell
-Get-MsolDomainFederationSettings -DomainName $DomainName
+Get-MgDomainFederationConfiguration -DomainId $domainId |fl
 ```
 
 ```output
-ActiveLogOnUri                         : https://accounts.google.com/o/saml2/idp?<GUID>
-DefaultInteractiveAuthenticationMethod : 
-FederationBrandName                    : Google Workspace Identity
-IssuerUri                              : https://accounts.google.com/o/saml2?idpid=<GUID>
-LogOffUri                              : https://accounts.google.com/logout
-MetadataExchangeUri                    : 
-NextSigningCertificate                 : 
-OpenIdConnectDiscoveryEndpoint         : 
-PassiveLogOnUri                        : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
-SigningCertificate                     : <BASE64 encoded certificate>
-SupportsMfa                            : 
+ActiveSignInUri                       : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+DisplayName                           : Google Workspace Identity
+FederatedIdpMfaBehavior               : acceptIfMfaDoneByFederatedIdp
+Id                                    : 3f600dce-ab37-4798-9341-ffd34b147f70
+IsSignedAuthenticationRequestRequired :
+IssuerUri                             : https://accounts.google.com/o/saml2?idpid=<GUID>
+MetadataExchangeUri                   :
+NextSigningCertificate                :
+PassiveSignInUri                      : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+PreferredAuthenticationProtocol       : saml
+PromptLoginBehavior                   :
+SignOutUri                            : https://accounts.google.com/logout
+SigningCertificate                    : <BASE64 encoded certificate>
+AdditionalProperties                  : {}
 ```
 
 ## Verify federated authentication between Google Workspace and Azure AD

education/windows/federated-sign-in.md

@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 03/15/2023
+ms.date: 04/11/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -146,11 +146,16 @@ In a scenario where a user is federated and you want to change the ImmutableId,
 Here's a PowerShell example to update the ImmutableId for a federated user:
 
 ```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
+Install-Module Microsoft.Graph -Scope CurrentUser
+Import-Module Microsoft.Graph
+Connect-MgGraph -Scopes 'User.Read.All', 'User.ReadWrite.All'
+
 #1. Convert the user from federated to cloud-only
-Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com
+Update-MgUser -UserId alton@example.com -UserPrincipalName alton@example.onmicrosoft.com
 
 #2. Convert the user back to federated, while setting the immutableId
-Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051'
+Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@example.com -OnPremisesImmutableId '260051'
 ```
 
 ## Troubleshooting

education/windows/windows-11-se-overview.md

@@ -96,6 +96,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `CoGat Secure Browser`                    | 11.0.0.19         | Win32    | `Riverside Insights`                      |
 | `ColorVeil`                               | 4.0.0.175         | Win32    | `East-Tec`                                | 
 | `ContentKeeper Cloud`                     | 9.01.45           | Win32    | `ContentKeeper Technologies`              |
+| `DigiExam`                                | 14.0.6            | Win32    | `Digiexam`                                |
 | `Dragon Professional Individual`          | 15.00.100         | Win32    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 13.0.0.0          | `Store`  | `Data recognition Corporation`            |
 | `Duo from Cisco`                          | 3.0.0             | Win32    | `Cisco`                                   |
@@ -103,6 +104,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `EasyReader`                              | 10.0.3.481        | Win32    | `Dolphin Computer Access`                 |
 | `Epson iProjection`                       | 3.31              | Win32    | `Epson`                                   |
 | `eTests`                                  | 4.0.25            | Win32    | `CASAS`                                   |
+| `Exam Writepad`                           | 22.10.14.1834     | Win32    | `Sheldnet`                                |
 | `FirstVoices Keyboard`                    | 15.0.270          | Win32    | `SIL International`                       |
 | `FortiClient`                             | 7.2.0.4034+       | Win32    | `Fortinet`                                |
 | `Free NaturalReader`                      | 16.1.2            | Win32    | `Natural Soft`                            |
@@ -126,7 +128,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `MetaMoJi ClassRoom`                      | 3.12.4.0          | `Store`  | `MetaMoJi Corporation`                    |
 | `Microsoft Connect`                       | 10.0.22000.1      | `Store`  | `Microsoft`                               |
 | `Mozilla Firefox`                         | 105.0.0           | Win32    | `Mozilla`                                 |
-| `NAPLAN`                                  | 2.5.0             | Win32    | `NAP`                                     |
+| `NAPLAN`                                  | 5.2.2             | Win32    | `NAP`                                     |
 | `Netref Student`                          | 23.1.0            | Win32    | `NetRef`                                  |
 | `NetSupport Manager`                      | 12.01.0014        | Win32    | `NetSupport`                              |
 | `NetSupport Notify`                       | 5.10.1.215        | Win32    | `NetSupport`                              |
@@ -149,7 +151,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 |`TX Secure Browser`                        | 15.0.0            | Win32    | `Cambium Development`                     |
 | `VitalSourceBookShelf`                    | 10.2.26.0         | Win32    | `VitalSource Technologies Inc`            |
 | `Winbird`                                 | 19                | Win32    | `Winbird Co., Ltd.`                       |
-| `WordQ`                                   | 5.4.23            | Win32    | `WordQ`                                   |
+| `WordQ`                                   | 5.4.29            | Win32    | `WordQ`                                   |
 | `Zoom`                                    | 5.12.8 (10232)    | Win32    | `Zoom`                                    |
 | `ZoomText Fusion`                         | 2022.2109.10      | Win32    | `Freedom Scientific`                      |
 | `ZoomText Magnifier/Reader`               | 2022.2109.25      | Win32    | `Freedom Scientific`                      |

store-for-business/acquire-apps-microsoft-store-for-business.md

@@ -16,7 +16,7 @@ ms.date: 07/21/2021
 # Acquire apps in Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).

store-for-business/add-profile-to-devices.md

@@ -19,7 +19,7 @@ ms.localizationpriority: medium
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot).
 

store-for-business/app-inventory-management-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: App inventory management for Microsoft Store for Business and Microsoft S
 description: You can manage all apps that you've acquired on your Apps & Software page.
 ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.date: 07/21/2021
 ---
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. 
 

store-for-business/apps-in-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Apps in Microsoft Store for Business and Education (Windows 10)
 description: Microsoft Store for Business has thousands of apps from many different categories.
 ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education has thousands of apps from many different categories.
 

store-for-business/assign-apps-to-employees.md

@@ -3,12 +3,12 @@ title: Assign apps to employees (Windows 10)
 description: Administrators can assign online-licensed apps to employees and students in their organization.
 ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization.
 

store-for-business/billing-payments-overview.md

@@ -5,19 +5,19 @@ keywords: billing, payment methods, invoices, credit card, debit card
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Billing and payments
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Access invoices and managed your payment methods.
 

store-for-business/billing-profile.md

@@ -5,19 +5,19 @@ keywords: billing profile, invoices, charges, managed charges
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: trudyha
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Understand billing profiles
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. 
 

store-for-business/billing-understand-your-invoice-msfb.md

@@ -4,19 +4,19 @@ description: Learn how to read and understand your MCA bill
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: trudyha
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Understand your Microsoft Customer Agreement invoice
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 The invoice provides a summary of your charges and provides instructions for payment. It's available for
 download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).

store-for-business/configure-mdm-provider-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Configure an MDM provider (Windows 10)
 description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses.
 ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
 

store-for-business/distribute-apps-from-your-private-store.md

@@ -3,12 +3,12 @@ title: Distribute apps using your private store (Windows 10)
 description: The private store is a feature in Microsoft Store for Business and Microsoft Store for Education that organizations receive during the signup process.
 ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
 

store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Distribute apps to your employees from the Microsoft Store for Business a
 description: Distribute apps to your employees from Microsoft Store for Business or Microsoft Store for Education. You can assign apps to employees,or let employees install them from your private store.
 ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store.
 

store-for-business/distribute-apps-with-management-tool.md

@@ -3,12 +3,12 @@ title: Distribute apps with a management tool (Windows 10)
 description: You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 

store-for-business/distribute-offline-apps.md

@@ -3,12 +3,12 @@ title: Distribute offline apps (Windows 10)
 description: Offline licensing is a new licensing option for Windows 10.
 ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 > 
 Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
 

store-for-business/docfx.json

@@ -65,7 +65,8 @@
         "dstrome",
         "v-dihans",        
         "garycentric",
-        "v-stsavell"
+        "v-stsavell",
+        "beccarobins"
       ]
     },
     "fileMetadata": {},

store-for-business/find-and-acquire-apps-overview.md

@@ -3,12 +3,12 @@ title: Find and acquire apps (Windows 10)
 description: Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
 ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
 

store-for-business/index.md

@@ -20,7 +20,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
 

store-for-business/manage-access-to-private-store.md

@@ -3,12 +3,12 @@ title: Manage access to private store (Windows 10)
 description: You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
 ms.assetid: 4E00109C-2782-474D-98C0-02A05BE613A5
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.date: 07/21/2021
 ---
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
 

store-for-business/manage-apps-microsoft-store-for-business-overview.md

@@ -3,12 +3,12 @@ title: Manage products and services in Microsoft Store for Business (Windows 10)
 description: Manage apps, software, devices, products and services in Microsoft Store for Business.
 ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. 
 

store-for-business/manage-orders-microsoft-store-for-business.md

@@ -4,19 +4,19 @@ description: You can view your order history with Microsoft Store for Business o
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Manage app orders in Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds.
 

store-for-business/manage-private-store-settings.md

@@ -3,12 +3,12 @@ title: Manage private store settings (Windows 10)
 description: The private store is a feature in the Microsoft Store for Business and Microsoft Store for Education that organizations receive during the sign up process.
 ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.date: 07/21/2021
 ms.localizationpriority: medium
@@ -21,7 +21,7 @@ ms.localizationpriority: medium
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
 

store-for-business/manage-settings-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Manage settings for Microsoft Store for Business and Microsoft Store for
 description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
 ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
 

store-for-business/manage-users-and-groups-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Manage user accounts in Microsoft Store for Business and Microsoft Store
 description: Microsoft Store for Business and Microsoft Store for Education manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups.
 ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
 

store-for-business/microsoft-store-for-business-education-powershell-module.md

@@ -4,13 +4,13 @@ description: Preview version of PowerShell module
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Microsoft Store for Business and Education PowerShell module - preview
@@ -19,7 +19,7 @@ manager: dansimp
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
 

store-for-business/microsoft-store-for-business-overview.md

@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).

store-for-business/notifications-microsoft-store-business.md

@@ -4,12 +4,12 @@ description: Notifications alert you to issues or outages with Microsoft Store f
 keywords: notifications, alerts
 ms.assetid: 
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. 
 

store-for-business/payment-methods.md

@@ -5,19 +5,19 @@ keywords: payment method, credit card, debit card, add credit card, update payme
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: trudyha
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Payment methods
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
 - VISA

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).

store-for-business/release-history-microsoft-store-business-education.md

@@ -4,18 +4,18 @@ description: Know the release history of Microsoft Store for Business and Micros
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # Microsoft Store for Business and Education release history
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
 

store-for-business/roles-and-permissions-microsoft-store-for-business.md

@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).

store-for-business/settings-reference-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Settings reference Microsoft Store for Business and Education (Windows 10
 description: The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
 ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -17,7 +17,7 @@ ms.date: 07/21/2021
 # Settings reference: Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 
 The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.

store-for-business/sign-up-microsoft-store-for-business-overview.md

@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
 

store-for-business/troubleshoot-microsoft-store-for-business.md

@@ -3,12 +3,12 @@ title: Troubleshoot Microsoft Store for Business (Windows 10)
 description: Troubleshooting topics for Microsoft Store for Business.
 ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Troubleshooting topics for Microsoft Store for Business.
 

store-for-business/update-microsoft-store-for-business-account-settings.md

@@ -5,19 +5,18 @@ keywords: billing accounts, organization info
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
-ms.reviewer: 
-manager: dansimp
 ---
 
 # Update Billing account settings
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 A billing account contains defining information about your organization. 
 

store-for-business/whats-new-microsoft-store-business-education.md

@@ -4,18 +4,18 @@ description: Learn about newest features in Microsoft Store for Business and Mic
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.date: 07/21/2021
 ms.reviewer: 
-manager: dansimp
 ---
 
 # What's new in Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education regularly releases new and improved features.  
 

store-for-business/working-with-line-of-business-apps.md

@@ -3,12 +3,12 @@ title: Working with line-of-business apps (Windows 10)
 description: Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your organization – they might be internal business apps, or apps specific to your school, business, or industry.
 ms.assetid: 95EB7085-335A-447B-84BA-39C26AEB5AC7
 ms.reviewer: 
-manager: dansimp
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 07/21/2021
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
 

windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md

@@ -18,17 +18,17 @@ ms.technology: itpro-apps
 The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607.
  
 ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client
-There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail.
+There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the prerequisite check fails and causes the MSI to fail.
 
 **Workaround**:
 
-1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
+1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
 
 2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows:
 
-    - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/en-us/windows/downloads).
+    - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/windows/downloads).
     
-    - For the standalone Windows 10 SDK without other tools, see [Standalone Windows 10 SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk).
+    - For the standalone Windows 10 SDK without other tools, see [Standalone Windows SDK](https://developer.microsoft.com/windows/downloads/windows-sdk).
 
 3. Copy msidb.exe from the default path of the Windows SDK installation (**C:\Program Files (x86)\Windows Kits\10**) to a different directory. For example: **C:\MyMsiTools\bin**
 
@@ -36,7 +36,7 @@ There are MSI packages generated by an App-V sequencer from previous versions of
  
     <Windows Kits 10 installation folder>**\Microsoft Application Virtualization\Sequencer\\** 
 
-    By default, this path will be:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** 
+    By default, this path is:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** 
 
 5. Run the following command:
 
@@ -51,7 +51,7 @@ An error is generated during publishing refresh when synchronizing packages from
 **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients.
 
 ## Custom configurations don't get applied for packages that will be published globally if they're set using the App-V Server
-If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages won't have access to this custom configuration.
+If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client publishes packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages won't have access to this custom configuration.
 
 **Workaround**: Implement one of the following tasks:
 
@@ -69,23 +69,23 @@ If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the
 
 Under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall, locate and delete the installation GUID key that contains the DWORD value "DisplayName" with value data "Microsoft Application Virtualization (App-V) Server". This is the only key that should be deleted.
 
-## File type associations added manually are not saved correctly
+## File type associations added manually aren't saved correctly
 
 File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard aren't saved correctly. They won't be available to the App-V Client or to the Sequencer when updating the saved package again.
 
-**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer will detect the new association in the system registry and add it to the package’s virtual registry, where it will be available to the client.
+**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer detects the new association in the system registry and adds it to the package’s virtual registry, where it is available to the client.
 
-## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, additional data is written to the local disk.
+## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, extra data is written to the local disk.
 
 To decrease the amount of data written to a client’s local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the client’s local disk that wouldn't otherwise be written.
 
 **Workaround**: None
 
-## In the Management Console Add Package dialog box, the Browse button is not available when using Chrome or Firefox
+## In the Management Console Add Package dialog box, the Browse button isn't available when using Chrome or Firefox
 
-On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you're accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package.
+On the Packages page of the Management Console, if you select **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you're accessing the Management Console using Chrome or Firefox as your browser, you won't be able to browse to the location of the package.
 
-**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you will be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps:
+**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you'll be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps:
 
 1.  While pressing **Shift**, right-click on the package file
 
@@ -102,10 +102,10 @@ If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to A
 
 where “AppVManagement” is the name of the database.
 
-## Users cannot open a package in a user-published connection group if you add or remove an optional package
-In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users cannot open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group.
+## Users can't open a package in a user-published connection group if you add or remove an optional package
+In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users can't open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group.
 
-**Workaround**: Have users log out and then log back in.
+**Workaround**: Have users sign out and then log back in.
 
 ## Error message is erroneously displayed when the connection group is published only to the user
 When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Ensure that the package is added to the machine and published to the user.”
@@ -114,7 +114,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
 
 -   Publish all packages in a connection group.
 
-    The problem arises when the connection group being repaired has packages that are missing or not available to the user (that is, not published globally or to the user). However, the repair will work if all of the connection group’s packages are available, so ensure that all packages are published.
+    The problem arises when the connection group being repaired has packages that are missing or not available to the user (that is, not published globally or to the user). However, the repair works if all of the connection group’s packages are available, so ensure that all packages are published.
 
 -   Repair packages individually using the Repair-AppvClientPackage command rather than the Repair-AppvClientConnectionGroup command.
 
@@ -128,22 +128,22 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
 
 ## Icons not displayed properly in Sequencer
 
-Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons is not 16x16 or 32x32.
+Icons in the Shortcuts and File Type Associations tab aren't displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons isn't 16x16 or 32x32.
 
 **Workaround**: Only use icons that are 16x16 or 32x32.
 
 ## InsertVersionInfo.sql script no longer required for the Management Database
-The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
+The InsertVersionInfo.sql script isn't required for versions of the App-V management database later than App-V 5.0 SP3.
 
 ## Microsoft Visual Studio 2012 not supported
 App-V doesn't support Visual Studio 2012.
 
 **Workaround**: Use a newer version of Microsoft Visual Studio.
 
-Currently, Visual Studio 2012 doesn't support app virtualization, whether using Microsoft App-V or third party solutions such as VMWare ThinApp. While it is possible you might find that Visual Studio works well enough for your purposes when running within one of these environments, we are unable to address any bugs or issues found when running in a virtualized environment at this time.
+Currently, Visual Studio 2012 doesn't support app virtualization, whether using Microsoft App-V or third party solutions such as VMware ThinApp. While it's possible you might find that Visual Studio works well for your purposes when running within one of these environments, we're unable to address any bugs or issues found when running in a virtualized environment at this time.
 
 ## Application filename restrictions for App-V Sequencer
-The App-V Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
+The App-V Sequencer can't sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
 
 **Workaround**: Use a different filename
 
@@ -152,9 +152,9 @@ For information that can help with troubleshooting App-V for Windows 10, see:
 - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx)
 - [The Official Microsoft App-V Team Blog](/archive/blogs/appv/)
 - [Technical Reference for App-V](./appv-technical-reference.md)
-- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv)
+- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) <!-- locale required by target site :( -->
 
 
-<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). <!-- locale required by target site :( -->
 
 <a href="https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md" class="button big">Help us to improve</a>

windows/application-management/apps-in-windows-10.md

@@ -71,9 +71,9 @@ There are different types of apps that can run on your Windows client devices. T
 
   Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
 
-## Android™️ apps
+## Android™️ apps
 
-Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
+Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
 
 For more information, see:
 
@@ -85,7 +85,7 @@ For more information, see:
 When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
 
 > [!NOTE]
-> Microsoft Store for Business and Microsoft Store for Education will be retired on March 31, 2023. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
+> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
 >Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps.
 
 - **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.

windows/application-management/docfx.json

@@ -59,7 +59,8 @@
         "claydetels19", 
         "jborsecnik",
         "tiburd",
-        "garycentric"
+        "garycentric",
+        "beccarobins"
       ],
       "searchScope": ["Windows 10"]
     },

windows/application-management/private-app-repository-mdm-company-portal-windows-11.md

@@ -4,7 +4,7 @@ description: Use the Company Portal app in Windows 11 devices to access the priv
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
-ms.date: 09/15/2021
+ms.date: 04/04/2023
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-apps
@@ -59,7 +59,7 @@ To install the Company Portal app, you have some options:
   For more information, see:
   
   - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
-  - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows)
+  - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft)
   - [What is co-management?](/mem/configmgr/comanage/overview)
   - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal)
 

windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md

@@ -1,99 +0,0 @@
----
-title: Add an Azure AD tenant and Azure AD subscription
-description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
----
-
-# Add an Azure AD tenant and Azure AD subscription
-
-Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
-
-> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
-
-
-1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
-
-   ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png)
-
-2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
-
-   ![sign up for azure ad.](images/azure-ad-add-tenant2.png)
-
-3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
-
-   ![create azure account.](images/azure-ad-add-tenant3.png)
-
-4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
-
-   ![add aad tenant.](images/azure-ad-add-tenant3-b.png)
-
-5. After you finish creating your Azure account, you can add an Azure AD subscription.
-
-   If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
-
-   ![login to office 365](images/azure-ad-add-tenant4.png)
-
-6. Select **Install software**.
-
-   ![login to office 365 portal](images/azure-ad-add-tenant5.png)
-
-7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
-
-   ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png)
-
-8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
-
-   ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png)
-
-9. Continue with your purchase.
-
-   ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
-
-10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange).
-
-    ![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
-
-    When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
-
-## Register your free Azure Active Directory subscription
-
-If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
-
-1.  Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
-
-    ![register in azuread.](images/azure-ad-add-tenant10.png)
-
-2.  On the **Home** page, select on the Admin tools icon.
-
-    ![register in azure-ad.](images/azure-ad-add-tenant11.png)
-
-3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
-
-    ![register azuread](images/azure-ad-add-tenant12.png)
-
-4.  On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
-
-    ![registration in azure-ad](images/azure-ad-add-tenant13.png)
-
-5.  It may take a few minutes to process the request.
-
-    ![registration in azuread.](images/azure-ad-add-tenant14.png)
-
-6.  You'll see a welcome page when the process completes.
-
-    ![register screen of azuread](images/azure-ad-add-tenant15.png)
-
- 
-
-
-
-
-
-

windows/client-management/appv-deploy-and-config.md

@@ -1,485 +0,0 @@
----
-title: Deploy and configure App-V apps using MDM
-description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server.
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
-ms.reviewer: 
-manager: aaroncz
----
-
-# Deploy and configure App-V apps using MDM
-
-## Executive summary
-
-<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
-
-<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
-
-### EnterpriseAppVManagement CSP node structure
-
-[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md)
-
-The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
-
-```console
-./Vendor/MSFT
-EnterpriseAppVManagement
-----AppVPackageManagement
---------EnterpriseID
-------------PackageFamilyName
----------------PackageFullName
-------------------Name
-------------------Version
-------------------Publisher
-------------------InstallLocation
-------------------InstallDate
-------------------Users
-------------------AppVPackageID
-------------------AppVVersionId
-------------------AppVPackageUri
-----AppVPublishing
---------LastSync
-------------LastError
-------------LastErrorDescription
-------------SyncStatusDescription
-------------SyncProgress
---------Sync
-------------PublishXML
-----AppVDynamicPolicy
---------ConfigurationId
-------------Policy
-```
-
-<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.</p>
-
-<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
-
-- EnterpriseAppVManagement
-  - AppVPackageManagement
-  - **AppVPublishing**
-    - LastSync
-	  - LastError
-	  - LastErrorDescription
-	  - SyncStatusDescription
-	  - SyncProgress
-    - Sync
-	  - PublishXML
-  - AppVDynamicPolicy
-
-<p>Sync command:</p>
-
-[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx)
-
-<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
-
-- EnterpriseAppVManagement
-  - AppVPackageManagement
-  - AppVPublishing
-  - **AppVDynamicPolicy**
-    - [ConfigurationId]
-	  - Policy
-
-<p>Dynamic policy examples:</p>
-
-[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing)
-
-<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
-
-- EnterpriseAppVManagement
-  - **AppVPackageManagement**
-    - [EnterpriseID]
-	  - [PackageFamilyName]
-	    - [PackageFullName]
-		  - Name
-		  - Version
-		  - Publisher
-		  - InstallLocation
-		  - InstallDate
-		  - Users
-		  - AppVPackageID
-		  - AppVVersionId
-		  - AppVPackageUri
-  - AppVPublishing
-  - AppVDynamicPolicy
-
-<p>The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.</p>
-
-## Scenarios addressed in App-V MDM functionality
-
-<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
-
-<p>A complete list of App-V policies can be found here:</p>
-
-[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md)
-
-[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md)
-
-### SyncML examples
-
-<p>The following SyncML examples address specific App-V client scenarios.</p>
-
-#### Enable App-V client
-
-<p>This example shows how to enable App-V on the device.</p>
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Meta>
-			<Format>chr</Format>
-			<Type>text/plain</Type>
-		</Meta>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
-		</Target>
-		<Data><enabled/></Data>
-	</Item>
-</Replace>
-```
-
-#### Configure App-V client
-
-<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).</p>
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Meta>
-			<Format>chr</Format>
-			<Type>text/plain</Type>
-		</Meta>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
-		</Target>
-		<Data><enabled/></Data>
-	</Item>
-</Replace>
-```
-
-<p>Complete list of App-V policies can be found here:</p>
-
-[Policy CSP](mdm/policy-configuration-service-provider.md)
-
-#### SyncML with package published for a device (global to all users for that device)
-
-<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">node</Format>
-		</Meta>
-	</Item>
-</Replace>
-<Exec>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<Publishing Protocol="2.0">
-				<Packages>
-					<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
-				</Packages>
-				<NoGroup>
-					<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
-				</NoGroup>
-			</Publishing>
-		</Data>
-	</Item>
-</Exec>
-```
-
-<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
-
-#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device)
-
-<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy</ LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<DeploymentConfiguration PackageId="57650ac1-1731-4b4c-899ca25548374dab" DisplayName="Skype_RS2Win10_X64" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
-				<MachineConfiguration></MachineConfiguration>
-				<UserConfiguration>
-					<Subsystems>
-						<Shortcuts Enabled="true">
-							<Extensions>
-								<Extension Category="AppV.Shortcut">
-									<Shortcut>
-										<File>[{ThisPCDesktopFolder}]\Skype_FromMDM.lnk</File>
-										<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
-										<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
-										<Arguments/>
-										<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
-										<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
-										<Description>Launch Skype</Description>
-										<ShowCommand>1</ShowCommand>
-										<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
-									</Shortcut>
-								</Extension>
-								<Extension Category="AppV.Shortcut">
-									<Shortcut>
-										<File>[{Common Desktop}]\Skype_FromMDMAlso.lnk</File>
-										<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
-										<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
-										<Arguments/>
-										<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
-										<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
-										<Description>Launch Skype</Description>
-										<ShowCommand>1</ShowCommand>
-										<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
-									</Shortcut>
-								</Extension>
-							</Extensions>
-						</Shortcuts>
-					</Subsystems>
-				</UserConfiguration>
-			</DeploymentConfiguration>
-		</Data>
-	</Item>
-</Replace>
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">node</Format>
-		</Meta>
-	</Item>
-</Replace>
-<Exec>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<Publishing Protocol="2.0">
-				<Packages>
-					<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab">
-						<DeploymentConfiguration ConfigurationId="38" Path="38" Timestamp="2012-08-27T16:14:30.87" /></Package>
-				</Packages>
-				<NoGroup>
-					<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab"/>
-				</NoGroup>
-			</Publishing>
-		</Data>
-	</Item>
-</Exec>
-```
-
-<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
-
-#### SyncML with package (using user config deployment) published for a specific user
-
-<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">node</Format>
-		</Meta>
-	</Item>
-</Replace>
-<Exec>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<Publishing Protocol="2.0">
-				<Packages>
-					<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
-				</Packages>
-				<NoGroup>
-					<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4"/>
-				</NoGroup>
-			</Publishing>
-		</Data>
-	</Item>
-</Exec>
-```
-
-#### SyncML for publishing mixed-mode connection group containing global and user-published packages
-
-<p>This SyncML example shows how to publish a connection group, and group applications and plugins together.</p>
-
-> [!NOTE]
-> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">node</Format>
-		</Meta>
-	</Item>
-</Replace>
-<Exec>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<Publishing Protocol="2.0">
-				<Packages>
-					<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab"></Package>
-				</Packages>
-			</Publishing>
-		</Data>
-	</Item>
-</Exec>
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">node</Format>
-		</Meta>
-	</Item>
-</Replace>
-	<Exec>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<Publishing Protocol="2.0">
-				<Packages>
-					<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
-					<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
-				</Packages>
-				<NoGroup>
-					<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
-				</NoGroup>
-				<Groups>
-					<Group GroupId="98d5cebd-165f-403b-a426-7a1f6ae9c399" VersionId="AE76602B-5613-4BAD-9EE5-1728FA55B699" Priority="46" Name="Try7">
-						<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" VersionOptional="false" PackageOptional="false"/>
-						<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4" VersionOptional="true" PackageOptional="true"/>
-					</Group>
-				</Groups>
-			</Publishing>
-		</Data>
-	</Item>
-</Exec>
-```
-
-#### Unpublish example SyncML for all global packages
-
-<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
-
-```xml
-<Replace>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">node</Format>
-		</Meta>
-	</Item>
-</Replace>
-<Exec>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">xml</Format>
-			<Type xmlns="syncml:metinf">text/plain</Type>
-		</Meta>
-		<Data>
-			<Publishing Protocol="2.0">
-				<Packages></Packages>
-				<NoGroup></NoGroup>
-			</Publishing>
-		</Data>
-	</Item>
-</Exec>
-```
-
-#### Query packages on a device
-
-<p>These SyncML examples return all global, and user-published packages on the device.</p>
-
-```xml
-<Get>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
-		</Target>
-	</Item>
-</Get>
-```
-
-```xml
-<Get>
-	<CmdID>$CmdID$</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
-		</Target>
-	</Item>
-</Get>
-```

windows/client-management/azure-active-directory-integration-with-mdm.md

@@ -9,159 +9,94 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.collection:
-  - highpri
-  - tier2
-ms.date: 12/31/2017
+- highpri
+- tier2
+ms.date: 04/05/2023
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Azure Active Directory integration with MDM
 
-Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
+Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
 
 Once a device is enrolled in MDM, the MDM:
 
 - Can enforce compliance with organization policies, add or remove apps, and more.
-- Can report a device’s compliance in Azure AD.
+- Can report a device's compliance in Azure AD.
 - Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
 
-To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved.
-
-## Connect to Azure AD
-
-Several ways to connect your devices:
-
-For company-owned devices:
--   Join Windows to a traditional Active Directory domain
--   Join Windows to Azure AD
-
-For personal devices (BYOD):
--   Add a Microsoft work account to Windows
-
-### Azure AD Join
-
-Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
-
-Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
-
-Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD.
-
-> [!IMPORTANT]
-> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
-
-
-### BYOD scenario
-
-Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
+To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD.
 
 ## Integrated MDM enrollment and UX
 
-Two Azure AD MDM enrollment scenarios:
--   Joining a device to Azure AD for company-owned devices
--   Adding a work account to a personal device (BYOD)
+There are several ways to connect your devices to Azure AD:
 
-In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment.
+- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join)
+- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
 
-In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
+In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
 
-In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
+In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
 
-For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
+For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
 
-Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
+Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
 
 > [!NOTE]
-> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
+> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account.
 
-
-### MDM endpoints involved in Azure AD–integrated enrollment
+### MDM endpoints involved in Azure AD integrated enrollment
 
 Azure AD MDM enrollment is a two-step process:
 
-1.  Display the Terms of Use and gather user consent.
+1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
+1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
 
-    This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
+To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
 
-2.  Enroll the device.
+- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins.
 
-    This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
+    It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
 
-To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
+    The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
 
-<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
-Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins.
+- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
 
-It’s important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
+    The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
 
-The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
+    [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
 
-<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
-After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
+    The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
 
-The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
-
-![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
-
-The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
-
-## Make the MDM a reliable party of Azure AD
+## Make MDM a reliable party of Azure AD
 
 To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
 
-### Add a cloud-based MDM
+### Cloud-based MDM
 
 A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
 
-The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
+The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
 
 > [!NOTE]
-> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
+> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below:
+>
+> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
+> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
 
-The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs.
+The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs.
 
 > [!NOTE]
-> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership).
+> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
 
-Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
+### On-premises MDM
 
-1.  Log on to the Azure Management Portal using an admin account in your home tenant.
+An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD.
 
-2.  In the left navigation, select **Active Directory**.
-
-3.  Select the directory tenant where you want to register the application.
-
-    Ensure you're logged into your home tenant.
-
-4.  Select the **Applications** tab.
-
-5.  In the drawer, select **Add**.
-
-6.  Select **Add an application my organization is developing**.
-
-7.  Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
-
-8.  Enter the logon URL for your MDM service.
-
-9.  For the App ID, enter `https://<your_tenant_name>/ContosoMDM`, then select OK.
-
-10. While still in the Azure portal, select the **Configure** tab of your application.
-
-11. Mark your application as **multi-tenant**.
-
-12. Find the client ID value and copy it.
-
-    You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
-
-13. Generate a key for your application and copy it.
-
-    You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section.
-
-For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
-
-### Add an on-premises MDM
-
-An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
-
-To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
+To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use.
 
 Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
 
@@ -173,24 +108,21 @@ The application keys used by your MDM service are a sensitive resource. They sho
 
 For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
 
-You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
+For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
 
 For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
 
 ## Publish your MDM app to Azure AD app gallery
 
-
 IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
 
-The following image show how MDM applications show up in the Azure app gallery.
-
-![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
-
 ### Add cloud-based MDM to the app gallery
 
 > [!NOTE]
 > You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
 
+To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing)
+
 The following table shows the required information to create an entry in the Azure AD app gallery.
 
 |Item|Description|
@@ -201,8 +133,6 @@ The following table shows the required information to create an entry in the Azu
 |**Description**|A brief description of your MDM app, which must be under 255 characters.|
 |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
 
-
-
 ### Add on-premises MDM to the app gallery
 
 There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
@@ -215,11 +145,11 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind
 
 There are three distinct scenarios:
 
-1.  MDM enrollment as part of Azure AD Join in Windows OOBE.
-2.  MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
-3.  MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
+1. MDM enrollment as part of Azure AD Join in Windows OOBE.
+1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
+1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
 
-These scenarios support Windows client Pro, Enterprise, and Education.
+These scenarios support Windows Pro, Enterprise, and Education.
 
 The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
 
@@ -256,7 +186,7 @@ The following parameters are passed in the query string:
 
 Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
 
-**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
+**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw...
 
 The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
 
@@ -267,13 +197,12 @@ The following claims are expected in the access token passed by Windows to the T
 |TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.|
 |Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
 
-
 > [!NOTE]
 > There's no device ID claim in the access token because the device may not yet be enrolled at this time.
 
 To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
 
-Here's an example URL.
+Here's an example URL:
 
 ```http
 https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
@@ -288,8 +217,8 @@ The MDM may do other more redirects as necessary before displaying the Terms of
 
 The Terms of Use content should contain the following buttons:
 
--   **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
--   **Decline** - the user declines and stops the enrollment process.
+- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
+- **Decline** - the user declines and stops the enrollment process.
 
 The Terms of Use content must be consistent with the theme used for the other pages rendered during this process.
 
@@ -297,13 +226,13 @@ The Terms of Use content must be consistent with the theme used for the other pa
 
 At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
 
--   **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
-    -   **IsAccepted** - This Boolean value is required, and must be set to true.
-    -   **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
-    -   Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
--   **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
-    -   **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
-    -   **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
+- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
+  - **IsAccepted** - This Boolean value is required, and must be set to true.
+  - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
+  - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
+- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
+  - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
+  - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
 
 Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join.
 
@@ -311,7 +240,7 @@ We recommend that you send the client-request-id parameters in the query string
 
 ### Terms Of Use Error handling
 
-If an error occurs during the terms of use processing, the MDM can return two parameters – an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern.
+If an error occurs during the terms of use processing, the MDM can return two parameters - an `error` and `error_description` parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the `error_description` should be in English plain text. This text isn't visible to the end-user. So, localization of the `error_description` text isn't a concern.
 
 Here's the URL format:
 
@@ -334,7 +263,6 @@ The following table shows the error codes.
 |Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
 |internal service error|302|server_error|internal service error|
 
-
 ## Enrollment protocol with Azure AD
 
 With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
@@ -355,41 +283,43 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 |Enrolled certificate store|My/User|My/System|My/User|
 |CSR subject name|User Principal Name|Device ID|User Principal Name|
 |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
-|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
+|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
 
 ## Management protocol with Azure AD
 
 There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
 
-<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD-joined devices**
-In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
+- **Multiple user management for Azure AD-joined devices**
 
-<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
-In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
+  In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
 
-<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
-The Azure AD token is in the HTTP Authorization header in the following format:
+- **Adding a work account and MDM enrollment to a device**:
 
-```console
-Authorization:Bearer <Azure AD User Token Inserted here>
-```
+  In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
 
-More claims may be present in the Azure AD token, such as:
+- **Evaluating Azure AD user tokens**:
 
--   User - user currently logged in
--   Device compliance - value set the MDM service into Azure
--   Device ID - identifies the device that is checking in
--   Tenant ID
+  The Azure AD token is in the HTTP Authorization header in the following format:
 
-Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
+  ```console
+  Authorization:Bearer <Azure AD User Token Inserted here>
+  ```
 
--   Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
--   Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
+  More claims may be present in the Azure AD token, such as:
 
+  - User - user currently logged in
+  - Device compliance - value set the MDM service into Azure
+  - Device ID - identifies the device that is checking in
+  - Tenant ID
+
+  Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
+
+  - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
+  - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
 
 ## Device Alert 1224 for Azure AD user token
 
-An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
+An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example:
 
 ```xml
 Alert Type: com.microsoft/MDM/AADUserToken
@@ -401,25 +331,25 @@ Alert sample:
   <Data>1224</Data>
   <Item>
    <Meta>
-    <Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
+    <Type xmlns= "syncml:metinf ">com.microsoft/MDM/AADUserToken</Type>
    </Meta>
    <Data>UserToken inserted here</Data>
   </Item>
  </Alert>
- … other XML tags …
+ ... other XML tags ...
 </SyncBody>
 ```
 
 ## Determine when a user is logged in through polling
 
-An alert is sent to the MDM server in DM package\#1.
+An alert is sent to the MDM server in DM package \#1.
 
--   Alert type - com.microsoft/MDM/LoginStatus
--   Alert format - chr
--   Alert data - provide sign-in status information for the current active logged in user.
-    -   Signed-in user who has an Azure AD account - predefined text: user.
-    -   Signed-in user without an Azure AD account- predefined text: others.
-    -   No active user - predefined text:none
+- Alert type - com.microsoft/MDM/LoginStatus
+- Alert format - chr
+- Alert data - provide sign-in status information for the current active logged in user.
+  - Signed-in user who has an Azure AD account - predefined text: user.
+  - Signed-in user without an Azure AD account- predefined text: others.
+  - No active user - predefined text:none
 
 Here's an example.
 
@@ -430,12 +360,12 @@ Here's an example.
   <Data>1224</Data>
   <Item>
    <Meta>
-    <Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
+    <Type xmlns= "syncml:metinf ">com.microsoft/MDM/LoginStatus</Type>
    </Meta>
    <Data>user</Data>
   </Item>
  </Alert>
- … other XML tags …
+ ... other XML tags ...
 </SyncBody>
 ```
 
@@ -445,21 +375,21 @@ Once a device is enrolled with the MDM for management, organization policies con
 
 For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
 
--   **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
--   **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
+- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
+- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
 
 ### Use Microsoft Graph API
 
 The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it.
 
 > [!NOTE]
-> This API is only applicable for approved MDM apps on Windows 10 devices.
+> This API is only applicable for approved MDM apps on Windows devices.
 
 ```console
 Sample Graph API Request:
 
 PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
-Authorization: Bearer eyJ0eXAiO………
+Authorization: Bearer eyJ0eXAiO.........
 Accept: application/json
 Content-Type: application/json
 {  "isManaged":true,
@@ -469,16 +399,16 @@ Content-Type: application/json
 
 Where:
 
--   **contoso.com** – This value is the name of the Azure AD tenant to whose directory the device has been joined.
--   **db7ab579-3759-4492-a03f-655ca7f52ae1** – This value is the device identifier for the device whose compliance information is being reported to Azure AD.
--   **eyJ0eXAiO**……… – This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
--   **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
--   **api-version** - Use this parameter to specify which version of the graph API is being requested.
+- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined.
+- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD.
+- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
+- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
+- **api-version** - Use this parameter to specify which version of the graph API is being requested.
 
 Response:
 
--   Success - HTTP 204 with No Content.
--   Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
+- Success - HTTP 204 with No Content.
+- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
 
 ## Data loss during unenrollment from Azure Active Directory Join
 
@@ -488,41 +418,4 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
 
 ## Error codes
 
-|Code|ID|Error message|
-|--- |--- |--- |
-|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.|
-|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
-|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
-|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
-|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.|
-|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.|
-|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.|
-|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.|
-|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
-|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.|
-|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.|
-|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
-|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
-|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
+[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)]

windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md

@@ -1,33 +1,29 @@
 ---
-title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
-description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
+title: Automatic MDM enrollment in the Intune admin center
+description: Automatic MDM enrollment in the Intune admin center
 ms.author: vinpa
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.date: 12/18/2020
-ms.reviewer: 
+ms.date: 04/05/2023
+ms.reviewer:
 manager: aaroncz
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
+# Automatic MDM enrollment in the Intune admin center
 
-Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
-
-- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
-- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-If you use the Azure portal, then you can access Intune using the following steps:
+Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal.
 
 1. Go to your Azure AD Blade.
-2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
-3. Select **Microsoft Intune** and configure the blade. 
 
-![How to get to the Blade.](images/azure-mdm-intune.png) 
+1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
 
-Configure the blade                                                                      
+1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group).
 
-![Configure the Blade.](images/azure-intune-configure-scope.png) 
+   ![Configure the Blade.](images/azure-intune-configure-scope.png)
 
-You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). 
+1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios.

windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md

@@ -1,50 +1,52 @@
 ---
 title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
-MS-HAID: 
-  - 'p\_phdevicemgmt.bulk\_enrollment'
-  - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
-ms.reviewer: 
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices.
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.date: 04/05/2023
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Bulk enrollment
+# Bulk enrollment using Windows Configuration Designer
 
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario.
 
 ## Typical use cases
 
--   Set up devices in bulk for large organizations to be managed by MDM.
--   Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
--   Set up school computers.
--   Set up industrial machinery.
--   Set handheld POS devices.
+- Set up devices in bulk for large organizations to be managed by MDM.
+- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
+- Set up school computers.
+- Set up industrial machinery.
+- Set handheld POS devices.
 
-On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
+On the desktop, you can create an Active Directory account, such as `enrollment@contoso.com` and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
 
 On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
 
 > [!NOTE]
-> -   Bulk-join is not supported in Azure Active Directory Join.
-> -   Bulk enrollment does not work in Intune standalone environment.
-> -   Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
-> -   To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
-> -   Bulk Token creation is not supported with federated accounts.
+>
+> - Bulk-join is not supported in Azure Active Directory Join.
+> - Bulk enrollment does not work in Intune standalone environment.
+> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
+> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> - Bulk Token creation is not supported with federated accounts.
 
 ## What you need
 
--   Windows 10 devices.
--   Windows Configuration Designer (WCD) tool.
+- Windows devices.
+- Windows Configuration Designer (WCD) tool.
 
     To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
--   Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
--   Wi-Fi credentials, computer name scheme, and anything else required by your organization.
+
+- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
+- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
 
     Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
 
@@ -53,112 +55,105 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
 Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
 
 1. Open the WCD tool.
-2. Select **Advanced Provisioning**.
+1. Select **Advanced Provisioning**.
 
    ![icd start page.](images/bulk-enrollment7.png)
-3. Enter a project name and select **Next**.
-4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
-5. Skip **Import a provisioning package (optional)** and select **Finish**.
-6. Expand **Runtime settings** &gt; **Workplace**.
-7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
-   The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
-8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
-   Here's the list of available settings:
-   -   **AuthPolicy** - Select **OnPremise**.
-   -   **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
-   -   **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
-   -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
-   -   **Secret** - Password
-   For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
-   Here's the screenshot of the WCD at this point.
+
+1. Enter a project name and select **Next**.
+1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
+1. Skip **Import a provisioning package (optional)** and select **Finish**.
+1. Expand **Runtime settings** > **Workplace**.
+1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`.
+1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings:
+
+   - **AuthPolicy** - Select **OnPremise**.
+   - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
+   - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
+   - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
+   - **Secret** - Password
+
+   For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). Here's the screenshot of the WCD at this point.
 
     ![bulk enrollment screenshot.](images/bulk-enrollment.png)
-9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
-10. When you're done adding all the settings, on the **File** menu, select **Save**.
-11. On the main menu, select **Export** &gt; **Provisioning package**.
+
+1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. On the main menu, select **Export** > **Provisioning package**.
 
     ![icd menu for export.](images/bulk-enrollment2.png)
-12. Enter the values for your package and specify the package output location.
+
+1. Enter the values for your package and specify the package output location.
 
     ![enter package information.](images/bulk-enrollment3.png)
     ![enter additional information for package information.](images/bulk-enrollment4.png)
     ![specify file location.](images/bulk-enrollment6.png)
-13. Select **Build**.
+
+1. Select **Build**.
 
     ![icb build window.](images/bulk-enrollment5.png)
-14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
-15. Apply the package to your devices.
+
+1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
+1. Apply the package to your devices.
 
 ## Create and apply a provisioning package for certificate authentication
 
 Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
 
 1. Open the WCD tool.
-2. Select **Advanced Provisioning**.
-3. Enter a project name and select **Next**.
-4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
-5. Skip **Import a provisioning package (optional)** and select **Finish**.
-6. Specify the certificate.
-   1.  Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
-   2.  Enter a **CertificateName** and then select **Add**.
-   3.  Enter the **CertificatePasword**.
-   4.  For **CertificatePath**, browse and select the certificate to be used.
-   5.  Set **ExportCertificate** to False.
-   6.  For **KeyLocation**, select **Software only**.
+1. Select **Advanced Provisioning**.
+1. Enter a project name and select **Next**.
+1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
+1. Skip **Import a provisioning package (optional)** and select **Finish**.
+1. Specify the certificate:
+
+   1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**.
+   1. Enter a **CertificateName** and then select **Add**.
+   1. Enter the **CertificatePassword**.
+   1. For **CertificatePath**, browse and select the certificate to be used.
+   1. Set **ExportCertificate** to False.
+   1. For **KeyLocation**, select **Software only**.
 
    ![icd certificates section.](images/bulk-enrollment8.png)
-7. Specify the workplace settings.
-   1. Got to **Workplace** &gt; **Enrollments**.
-   2. Enter the **UPN** for the enrollment and then select **Add**.
-      The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
-   3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
-      Here's the list of available settings:
-      -   **AuthPolicy** - Select **Certificate**.
-      -   **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
-      -   **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
-      -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
-      -   **Secret** - the certificate thumbprint.
-      For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
-8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
-9. When you're done adding all the settings, on the **File** menu, select **Save**.
-10. Export and build the package (steps 10-13 in the procedure above).
-11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
-12. Apply the package to your devices.
+
+1. Specify the workplace settings.
+
+   1. Got to **Workplace** > **Enrollments**.
+   1. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`.
+   1. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings:
+      - **AuthPolicy** - Select **Certificate**.
+      - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
+      - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
+      - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
+      - **Secret** - the certificate thumbprint.
+
+   For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
+
+1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. Export and build the package (steps 10-13 in the procedure above).
+1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
+1. Apply the package to your devices.
 
 ## Apply a provisioning package
 
-Here's the list of articles about applying a provisioning package:
+- [Apply a package during initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#during-initial-setup)
+- [Apply a package after initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup)
+- [Apply a package directly](/windows/configuration/provisioning-packages/provisioning-apply-package#apply-directly)
+- [Apply a package from the Settings app](/windows/configuration/provisioning-packages/provisioning-apply-package#windows-settings).
 
--   [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package)
--   [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image)
--   [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below
+## Validate that the provisioning package was applied
 
-## Apply a package from the Settings menu
-
-1.  Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
-2.  Select **Add or remove a provisioning package**.
-3.  Select **Add a package**.
-
-## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
-
-1.  Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
-2.  Select **Add or remove a provisioning package**.
-    You should see your package listed.
+1. Go to **Settings** > **Accounts** > **Access work or school**.
+1. Select **Add or remove a provisioning package**. You should see your package listed.
 
 ## Retry logic if there's a failure
 
-If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
+- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
+- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context.
+- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
+- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions).
 
-If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -&gt; 1 hr -&gt; 4 hr -&gt; "Next System Start". These attempts will be run from a SYSTEM context.
-
-It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
-
-In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
-
-## Other provisioning articles
-
-Here are links to step-by-step provisioning articles:
-
--   [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
--   [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
+## Related articles
 
+- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
+- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)

windows/client-management/certificate-authentication-device-enrollment.md

@@ -1,30 +1,28 @@
 ---
 title: Certificate authentication device enrollment
 description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.date: 04/05/2023
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Certificate authentication device enrollment
 
-This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
+This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows devices, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
 
-> [!Note]
+> [!NOTE]
 > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
 
-## In this topic
-
--   [Discovery service](#discovery-service)
--   [Enrollment policy web service](#enrollment-policy-web-service)
--   [Enrollment web service](#enrollment-web-service)
-
-For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
+> [!NOTE]
+> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
 
 ## Discovery Service
 
@@ -37,34 +35,33 @@ User-Agent: Windows Enrollment Client
 Host: EnterpriseEnrollment.Contoso.com
 Content-Length: xxx
 Cache-Control: no-cache
-
 <?xml version="1.0"?>
-<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" 
-   xmlns:s="http://www.w3.org/2003/05/soap-envelope"> 
-   <s:Header> 
+<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
+   xmlns:s="http://www.w3.org/2003/05/soap-envelope">
+   <s:Header>
       <a:Action s:mustUnderstand="1">
  http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
-      </a:Action> 
-      <a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID> 
-      <a:ReplyTo> 
-         <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> 
-      </a:ReplyTo> 
+      </a:Action>
+      <a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
+      <a:ReplyTo>
+         <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+      </a:ReplyTo>
       <a:To s:mustUnderstand="1">
          https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
-      </a:To> 
-   </s:Header> 
-   <s:Body> 
-      <Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/"> 
-         <request xmlns:i="http://www.w3.org/2001/XMLSchema-instance"> 
+      </a:To>
+   </s:Header>
+   <s:Body>
+      <Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
+         <request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
             <EmailAddress>user@contoso.com</EmailAddress>
             <OSEdition>101</OSEdition> <!--New in Windows 10-->
             <OSVersion>10.0.0.0</OSVersion> <!--New in Windows 10-->
-            <RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->   
+            <RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->
             <ApplicationVersion>10.0.0.0</ApplicationVersion>
             <AuthPolicies>Certificate</AuthPolicies> <!--New in Windows 10-->
-         </request> 
-      </Discover> 
-   </s:Body> 
+         </request>
+      </Discover>
+   </s:Body>
 </s:Envelope>
 ```
 
@@ -76,7 +73,7 @@ Content-Length: 865
 Content-Type: application/soap+xml; charset=utf-8
 Server: EnterpriseEnrollment.Contoso.com
 Date: Tue, 02 Aug 2012 00:32:56 GMT
-<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
    xmlns:a="http://www.w3.org/2005/08/addressing">
    <s:Header>
       <a:Action s:mustUnderstand="1">
@@ -87,9 +84,9 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer
       </ActivityId>
       <a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
    </s:Header>
-   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-      <DiscoverResponse 
+      <DiscoverResponse
          xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
          <DiscoverResult>
             <AuthPolicy>Certificate</AuthPolicy>
@@ -117,11 +114,11 @@ User-Agent: Windows Enrollment Client
 Host: enrolltest.contoso.com
 Content-Length: xxxx
 Cache-Control: no-cache
-<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
-   xmlns:a="http://www.w3.org/2005/08/addressing"  
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+   xmlns:a="http://www.w3.org/2005/08/addressing"
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
-   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
+   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
    xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
    <s:Header>
       <a:Action s:mustUnderstand="1">
@@ -135,16 +132,16 @@ Cache-Control: no-cache
          https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
       </a:To>
       <wsse:Security s:mustUnderstand="1">
-         <wsse:BinarySecurityToken  wsse:ValueType="X509v3” wsse:Id="mytoken” wsse:EncodingType=
+         <wsse:BinarySecurityToken  wsse:ValueType="X509v3" wsse:Id="mytoken" wsse:EncodingType=
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
            xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                   B64EncodedSampleBinarySecurityToken
-         </wsse:BinarySecurityToken>  
+         </wsse:BinarySecurityToken>
       </wsse:Security>
    </s:Header>
-   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-      <GetPolicies 
+      <GetPolicies
          xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
          <client>
             <lastUpdate xsi:nil="true"/>
@@ -190,29 +187,29 @@ Content-Type: application/soap+xml
 Content-Length: xxxx
 
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<s:Envelope 
+<s:Envelope
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-   xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
+   xmlns:s="http://www.w3.org/2003/05/soap-envelope"
    xmlns:a="http://www.w3.org/2005/08/addressing">
    <s:Header>
       <a:Action s:mustUnderstand="1">
    http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
       </a:Action>
-      <ActivityId CorrelationId="08d2997e-e8ac-4c97-a4ce-d263e62186ab" 
+      <ActivityId CorrelationId="08d2997e-e8ac-4c97-a4ce-d263e62186ab"
          xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">
          d4335d7c-e192-402d-b0e7-f5d550467e3c</ActivityId>
       <a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
    </s:Header>
-   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-      <GetPoliciesResponse 
+      <GetPoliciesResponse
          xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
-         <response>   
-            <policyFriendlyName xsi:nil="true" 
+         <response>
+            <policyFriendlyName xsi:nil="true"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
-            <nextUpdateHours xsi:nil="true" 
+            <nextUpdateHours xsi:nil="true"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
-            <policiesNotChanged xsi:nil="true" 
+            <policiesNotChanged xsi:nil="true"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
             <policies>
                <policy>
@@ -268,11 +265,11 @@ Host: enrolltest.contoso.com
 Content-Length: 3242
 Cache-Control: no-cache
 
-<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
-   xmlns:a="http://www.w3.org/2005/08/addressing" 
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+   xmlns:a="http://www.w3.org/2005/08/addressing"
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
-   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
+   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
    xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
    <s:Header>
       <a:Action s:mustUnderstand="1">
@@ -289,36 +286,35 @@ Cache-Control: no-cache
          <wsu:Timestamp>
             <wsu:Created>2014-10-16T17:55:13Z</wsu:Created> <!-- Start time in UTC -->
             <wsu:Expires>2014-10-16T17:57:13Z </wsu:Expires> <!-- Expiration time in UTC -->
-        </wsu:Timestamp> 
+        </wsu:Timestamp>
         <wsse:BinarySecurityToken  wsse:ValueType=
 http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
                   wsse:EncodingType=
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
                   xmlns=
           http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
-                  wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
+                  wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8">
                   B64EncodedSampleBinarySecurityToken
-         </wsse:BinarySecurityToken> <!—X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference  -->
+         </wsse:BinarySecurityToken> <!-X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference  -->
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-            <ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
-                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
-                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
-                            1.0.xsd”>
+            <ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- 1.0.xsd">
                <ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
                <ds:Reference URI="#envelop">
-                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/> 
+                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
                   <ds:DigestValue>MessageDigestValue</ds:DigestValue>
                      <!-- Digest value of message using digest method -->
                </ds:Reference>
             </ds:SignedInfo>
-            <ds:SignatureValue>SignedMessageBlob/ds:SignatureValue> 
-                <!-- Digest value of message signed with the user’s private key using RSA-SHA256 -->
+            <ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
+                <!-- Digest value of message signed with the user's private key using RSA-SHA256 -->
             <ds:KeyInfo>
-               <wsse:SecurityTokenReference> 
-                  <wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8" 
+               <wsse:SecurityTokenReference>
+                  <wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
                                   ValueType="http://docs.oasis-open.org/wss/2004/01/
                                   oasis-200401-wss-x509-token-profile-1.0#X509"/>
-                  <!-— References BinarySecurityToken that contains public key to verify signature -->
+                  <!-- References BinarySecurityToken that contains public key to verify signature -->
                </wsse:SecurityTokenReference>
             </ds:KeyInfo>
          </ds:Signature>
@@ -331,8 +327,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
          </wst:TokenType>
          <wst:RequestType>
             http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
-         <wsse:BinarySecurityToken 
-            ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10" 
+         <wsse:BinarySecurityToken
+            ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
             EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
             DER format PKCS#10 certificate request in Base64 encoding Insterted Here
          </wsse:BinarySecurityToken>
@@ -354,7 +350,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
               </ac:ContextItem>
                      </ac:ContextItem>
             <ac:ContextItem Name="DeviceID"> <!--From Handheld 8.1 -->
-               <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value> 
+               <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
                <ac:ContextItem Name="EnrollmentData">
                <ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value>
                <ac:ContextItem Name="TargetedUserLoggedIn">
@@ -376,8 +372,8 @@ Content-Type: application/soap+xml; charset=utf-8
 Server: Microsoft-IIS/7.0
 Date: Fri, 03 Aug 2012 00:32:59 GMT
 
-<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
-   xmlns:a="http://www.w3.org/2005/08/addressing" 
+<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
+   xmlns:a="http://www.w3.org/2005/08/addressing"
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
       <Action s:mustUnderstand="1" >
@@ -393,14 +389,14 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT
       </o:Security>
    </s:Header>
    <s:Body>
-      <RequestSecurityTokenResponseCollection 
+      <RequestSecurityTokenResponseCollection
          xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          <RequestSecurityTokenResponse>
             <TokenType>
     http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
             </TokenType>
             <RequestedSecurityToken>
-               <BinarySecurityToken 
+               <BinarySecurityToken
                   ValueType=
 "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
                   EncodingType=
@@ -433,17 +429,17 @@ The following example shows the encoded provisioning XML.
       </characteristic>
    </characteristic>
    <characteristic type="CertificateStore">
-      <characteristic type="My" >      
+      <characteristic type="My" >
          <characteristic type="User">
             <characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
                <parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
             </characteristic>
-            <characteristic type="PrivateKeyContainer"/> 
-            <!-- This tag must be present for XML syntax correctness. -->            
+            <characteristic type="PrivateKeyContainer"/>
+            <!-- This tag must be present for XML syntax correctness. -->
          </characteristic>
          <characteristic type="WSTEP">
             <characteristic type="Renew">
-             <!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
+             <!--If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
                <parm name="ROBOSupport" value="true" datatype="boolean"/>
                <parm name="RenewPeriod" value="60" datatype="integer"/>
                <parm name="RetryInterval" value="4" datatype="integer"/>
@@ -480,14 +476,14 @@ The following example shows the encoded provisioning XML.
       <characteristic type="Provider">
 <!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
     <characteristic type="TestMDMServer">
-          <parm name="UPN" value="UserPrincipalName" datatype="string" /> 
+          <parm name="UPN" value="UserPrincipalName" datatype="string" />
              <characteristic type="Poll">
                 <parm name="NumberOfFirstRetries" value="8" datatype="integer" />
                 <parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
                 <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
                 <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
                 <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
-<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule’s retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
+<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule's retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
          <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
          <parm name="PollOnLogin" value="true" datatype="boolean" />
  </characteristic>
@@ -495,7 +491,7 @@ The following example shows the encoded provisioning XML.
 </characteristic>
       </characteristic>
    </characteristic>
-   <!-- For Windows 10, we have removed EnterpriseAppManagement from the enrollment 
+   <!-- For Windows 10, we have removed EnterpriseAppManagement from the enrollment
         protocol. This configuration service provider is being deprecated for Windows 10. -->
 </wap-provisioningdoc>
-```
+```

windows/client-management/certificate-renewal-windows-mdm.md

@@ -1,10 +1,7 @@
 ---
 title: Certificate Renewal
 description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-MS-HAID: 
-  - 'p\_phdevicemgmt.certificate\_renewal'
-  - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@@ -12,29 +9,32 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Certificate Renewal
 
 The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
 
-> [!Note]
+> [!NOTE]
 > Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
 ## Automatic certificate renewal request
 
 Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
 
-> [!Note]
+> [!NOTE]
 > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
 Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
 
-For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
+For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
 
-With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
+With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
 
-During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
+During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
 
 During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
 
@@ -94,28 +94,25 @@ The following example shows the details of an automatic renewal request.
 
 ## Certificate renewal schedule configuration
 
-In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP’s RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
+In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
 
 For more information about the parameters, see the CertificateStore configuration service provider.
 
 Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
 
-> [!Note]
-> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
-
 ## Certificate renewal response
 
 When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
 
--   The signature of the PKCS\#7 BinarySecurityToken is correct
--   The client’s certificate is in the renewal period
--   The certificate was issued by the enrollment service
--   The requester is the same as the requester for initial enrollment
--   For standard client’s request, the client hasn’t been blocked
+- The signature of the PKCS\#7 BinarySecurityToken is correct
+- The client's certificate is in the renewal period
+- The certificate was issued by the enrollment service
+- The requester is the same as the requester for initial enrollment
+- For standard client's request, the client hasn't been blocked
 
 After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
 
-> [!Note]
+> [!NOTE]
 > The HTTP server response must not be chunked; it must be sent as one message.
 
 The following example shows the details of a certificate renewal response.
@@ -145,14 +142,14 @@ The following example shows the details of a certificate renewal response.
 </wap-provisioningdoc>
 ```
 
-> [!Note]
+> [!NOTE]
 > The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
 ## Configuration service providers supported during MDM enrollment and certificate renewal
 
 The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
 
--   CertificateStore
--   w7 APPLICATION
--   DMClient
--   EnterpriseAppManagement
+- CertificateStore
+- w7 APPLICATION
+- DMClient
+- EnterpriseAppManagement

windows/client-management/client-tools/administrative-tools-in-windows.md

@@ -6,24 +6,22 @@ author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.localizationpriority: medium
-ms.date: 03/28/2022
+ms.date: 04/11/2023
 ms.topic: article
 ms.collection:
-  - highpri
-  - tier2
+- highpri
+- tier2
 ms.technology: itpro-manage
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Windows Tools/Administrative Tools
 
-**Applies to**
-
-- Windows 11
-- Windows 10
-
 **Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
 
-## Windows Tools folder (Windows 11)
+## Windows Tools folder
 
 The following graphic shows the **Windows Tools** folder in Windows 11:
 
@@ -33,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you use
 
 :::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png":::
 
-## Administrative Tools folder (Windows 10)
+## Administrative Tools folder
 
 The following graphic shows the **Administrative Tools** folder in Windows 10:
 

windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md

@@ -1,26 +1,22 @@
 ---
-title: Windows 10 default media removal policy
-description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal.
+title: Windows default media removal policy
+description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.date: 11/25/2020
+ms.date: 04/11/2023
 ms.topic: article
-ms.custom: 
-  - CI 111493
-  - CI 125140
-  - CSSTroubleshooting
-audience: ITPro
 ms.localizationpriority: medium
-manager: kaushika
+manager: aaroncz
 ms.technology: itpro-manage
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Change in default removal policy for external storage media in Windows 10, version 1809
+# Change in default removal policy for external storage media in Windows
 
-Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**.
-
-In earlier versions of Windows, the default policy was **Better performance**.
+Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**.
 
 You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port.
 
@@ -28,31 +24,32 @@ You can change the policy setting for each external device, and the policy that
 
 You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
 
-* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
-* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
-   > [!IMPORTANT]  
-   > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
+- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
+- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
 
-   > [!NOTE]  
-   > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
+> [!IMPORTANT]
+> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
+
+> [!NOTE]
+> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
 
 To change the policy for an external storage device:
 
 1. Connect the device to the computer.
-2. Right-click **Start**, then select **File Explorer**.
-3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
-4. Right-click **Start**, then select **Disk Management**.
-5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
-  
+1. Right-click **Start**, then select **File Explorer**.
+1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
+1. Right-click **Start**, then select **Disk Management**.
+1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
+
    ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
-  
-6. Select **Policies**.
-  
-   > [!NOTE]  
-   > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.  
-   >  
+
+1. Select **Policies**.
+
+   > [!NOTE]
+   > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
+   >
    > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
-  
-7. Select the policy that you want to use.
-  
+
+1. Select the policy that you want to use.
+
    ![Policy options for disk management.](./images/change-def-rem-policy-2.png)

windows/client-management/client-tools/connect-to-remote-aadj-pc.md

@@ -1,29 +1,29 @@
 ---
-title: Connect to remote Azure Active Directory joined device (Windows)
+title: Connect to remote Azure Active Directory joined device
 description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.author: vinpa
-ms.date: 01/18/2022
+ms.date: 04/11/2023
 manager: aaroncz
 ms.topic: article
 appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ms.collection:
-  - highpri
-  - tier2
+- highpri
+- tier2
 ms.technology: itpro-manage
 ---
 
 # Connect to remote Azure Active Directory joined device
 
-From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP.
+Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP).
 
 - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
 - Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
- 
+
 ## Prerequisites
 
 - Both devices (local and remote) must be running a supported version of Windows.
@@ -39,20 +39,20 @@ Azure AD Authentication can be used on the following operating systems for both
 - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
 - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
 - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
-   
+
 There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
 
 - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
 - Active Directory joined device.
 - Workgroup device.
- 
+
 Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices.
 
 To connect to the remote computer:
 
 - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
 - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files).
-- Specify the name of the remote computer and select **Connect**. 
+- Specify the name of the remote computer and select **Connect**.
 
     > [!NOTE]
     > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.
@@ -129,5 +129,3 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
 ## Related articles
 
 [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)
-
-

windows/client-management/client-tools/manage-device-installation-with-group-policy.md

@@ -4,21 +4,19 @@ description: Find out how to manage Device Installation Restrictions with Group
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.date: 09/14/2021
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
 ms.technology: itpro-manage
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
 ---
 
 # Manage Device Installation with Group Policy
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2022
-
 ## Summary
 
 By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
@@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca
 ## Introduction
 
 ### General
+
 This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
 
 - Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
@@ -63,7 +62,7 @@ You can ensure that users install only those devices that your technical support
 
 ## Scenario Overview
 
-The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
+The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
 
 Group Policy guides:
 
@@ -72,7 +71,7 @@ Group Policy guides:
 
 ### Scenario #1: Prevent installation of all printers
 
-In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the ‘prevent/allow’ functionality of Device Installation policies in Group Policy.
+In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy.
 
 ### Scenario #2: Prevent installation of a specific printer
 
@@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen
 
 ### Scenario #4: Prevent installation of a specific USB device
 
-This scenario, although similar to scenario #2, brings another layer of complexity – how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
+This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
 
 ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
 
-In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
+In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
 
 ## Technology Review
 
@@ -96,7 +95,7 @@ The following sections provide a brief overview of the core technologies discuss
 
 ### Device Installation in Windows
 
-A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
+A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
 
 When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
 
@@ -107,7 +106,7 @@ The four types of identifiers are:
 - Device Instance ID
 - Device ID
 - Device setup classes
-- ‘Removable Devices’ device type
+- 'Removable Devices' device type
 
 #### Device Instance ID
 
@@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta
 
 This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
 
-The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine:
+The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine:
 
 - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
 - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
 
-#### ‘Removable Device’ Device type
+#### 'Removable Device' Device type
 
 Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
 
@@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh
 The following passages are brief descriptions of the Device Installation policies that are used in this guide.
 
 > [!NOTE]
-> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
+> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
 
 #### Allow administrators to override Device Installation Restriction policies
 
@@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have:
 
 - A client computer running Windows.
 
-- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
+- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
 
 - A USB/network printer pre-installed on the machine.
 
 - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
 
-### Understanding implications of applying ‘Prevent’ policies retroactive
+### Understanding implications of applying 'Prevent' policies retroactive
 
-All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
+All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
 
-For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
+For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones.
 
 This option is a powerful tool, but as such it has to be used carefully.
 
 > [!IMPORTANT]
-> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
+> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
 
 ## Determine device identification strings
 
@@ -249,19 +248,19 @@ To find device identification strings using Device Manager
 
 1. Make sure your printer is plugged in and installed.
 
-2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
+1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
 
-3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
+1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
 
-4. Find the “Printers” section and find the target printer
+1. Find the "Printers" section and find the target printer
 
     ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
 
-5. Double-click the printer and move to the ‘Details’ tab.
+1. Double-click the printer and move to the 'Details' tab.
 
-    ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the ‘Details’ tab to look for the device identifiers_
+    !['Details' tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the 'Details' tab to look for the device identifiers_
 
-6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies.
+1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies.
 
     ![HWID.](images/device-installation-dm-printer-hardware-ids.png)
 
@@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
 
-2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
+1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
 
-3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters
+1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters
 
-4. Have a USB/network printer available to test the policy with
+1. Have a USB/network printer available to test the policy with
 
-### Scenario steps – preventing installation of prohibited devices
+### Scenario steps - preventing installation of prohibited devices
 
 Getting the right device identifier to prevent it from being installed:
 
 1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
 
-2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links:
+1. If you don't have such device installed on your system or know the name of the class, you can check the following two links:
 
     - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
     - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
 
-3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
+1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
 
     > Printers\
     > Class = Printer\
@@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed:
 
 Creating the policy to prevent all printers from being installed:
 
-1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
 
-2. Navigate to the Device Installation Restriction page:
+1. Navigate to the Device Installation Restriction page:
 
     > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
 
-3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled).
+1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled).
 
-4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
 
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
 
-6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
 
     ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 
-7. Click ‘OK’.
+1. Click 'OK'.
 
-8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
 
-9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’
+1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
 
 > [!IMPORTANT]
-> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
+> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
 
 ### Testing the scenario
 
-1. If you haven't completed step #9 – follow these steps:
+1. If you haven't completed step #9, follow these steps:
 
-   1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
-   1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
+   1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
+   1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app.
    1. You shouldn't be able to reinstall the printer.
 
-2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
+1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
 
 ## Scenario #2: Prevent installation of a specific printer
 
@@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
 
-2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
+1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
 
-### Scenario steps – preventing installation of a specific device
+### Scenario steps - preventing installation of a specific device
 
 Getting the right device identifier to prevent it from being installed:
 
-1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously
+1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously.
 
     ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
 
-2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
+1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers
 
 Creating the policy to prevent a single printer from being installed:
 
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor.
 
-2. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
 
     > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
 
-3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
 
-4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block.
 
-5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
+1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`.
 
     ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
 
-6. Click ‘OK’.
+1. Click 'OK'.
 
-7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install.
+1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install.
 
-8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’.
+1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'.
 
 ###	Testing the scenario
 
@@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer
 
 If you haven't completed step #8, follow these steps:
 
-1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
+1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
 
-2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
-
-3. You shouldn't be able to reinstall the printer.
+1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app.
 
+1. You shouldn't be able to reinstall the printer.
 
 ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
 
@@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
 
-2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’.
+1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'.
 
-3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters.
+1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
 
-4. Have a USB/network printer available to test the policy with.
+1. Have a USB/network printer available to test the policy with.
 
-### Scenario steps – preventing installation of an entire class while allowing a specific printer
+### Scenario steps - preventing installation of an entire class while allowing a specific printer
 
-Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
+Getting the device identifier for both the Printer Class and a specific printer—following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
 
 - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
 - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
 
-First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
+First create a 'Prevent Class' policy and then create 'Allow Device' one:
 
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
 
-2. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
 
     > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
 
-3. Make sure all policies are disabled
+1. Make sure all policies are disabled
 
-4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
 
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
 
-6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
     ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 
-7. Click ‘OK’.
+1. Click 'OK'.
 
-8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
 
-9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’
+1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
 
-10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
+1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
 
-    ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
+    :::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png":::
 
-    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
+    [![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.](images/device-installation-apply-layered-policy-2.png)](images/device-installation-apply-layered-policy-2.png#lightbox)<br/>_Apply layered order of evaluation policy_
 
-9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
 
-10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
 
-11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
+1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
 
     ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
 
-12. Click ‘OK’.
+1. Click 'OK'.
 
-13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed).
+1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed).
 
 ## Testing the scenario
 
 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
 
-2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all.
-
+1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all.
 
 ## Scenario #4: Prevent installation of a specific USB device
 
@@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section
 
-2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications.
+1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation'. This prerequisite is optional to be On/Off this scenario. Although the policy is disabled in default, it's recommended to be enabled in most practical applications.
 
-### Scenario steps – preventing installation of a specific device
+### Scenario steps - preventing installation of a specific device
 
 Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
 
 1. Connect a USB thumb drive to the machine
 
-2. Open Device Manager
+1. Open Device Manager
+
+1. Find the USB thumb-drive and select it.
 
-3. Find the USB thumb-drive and select it.
- 
     ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
 
-4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
+1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree.
 
     ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
 
     > [!NOTE]
-    > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
- 
+    > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked.
+
     ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
 
-5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
+1. Double-click the USB thumb-drive and move to the 'Details' tab.
+
+1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
 
-6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
     ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
 
 Creating the policy to prevent a single USB thumb-drive from being installed:
 
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor and either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
 
-2. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
 
     > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
 
-3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
 
-4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
+
+1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
 
-5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
     ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
 
-6. Click ‘OK’.
+1. Click 'OK'.
 
-7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install.
-
-8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’
+1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install.
 
+1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'.
 
 ### Testing the scenario
 
-1. If you haven't completed step #8 – follow these steps:
+1. If you haven't completed step #8, follow these steps:
 
-    - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
+    - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device".
     - You shouldn't be able to reinstall the device.
 
-2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
-
+1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
 
 ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
 
@@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
 
-2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’.
+1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'.
 
-3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters.
+1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
 
-4. Have a USB thumb-drive available to test the policy with.
+1. Have a USB thumb-drive available to test the policy with.
 
-### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive
+### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive
 
-Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
+Getting the device identifier for both the USB Classes and a specific USB thumb-drive and following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
 
 - USB Bus Devices (hubs and host controllers)
   - Class = USB
@@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb-
 
 As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
 
-- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03
-- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
-- “Generic USB Hub” -> USB\USB20_HUB
- 
+- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03
+- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30
+- "Generic USB Hub" -> USB\USB20_HUB
+
 ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
 
 These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
 
 > [!IMPORTANT]
-> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list:
+> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list:
 >
 > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
 > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
@@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne
 >
 > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
 
-First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
+First create a 'Prevent Class' policy and then create 'Allow Device' one:
 
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor: either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
 
-2. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
 
     > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
 
-3. Make sure all policies are disabled
+1. Make sure all policies are disabled
 
-4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
 
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
 
-6. Enter both USB classes GUID you found above with the curly braces:
+1. Enter both USB classes GUID you found above with the curly braces:
 
     > {36fc9e60-c465-11cf-8056-444553540000}/
-    > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} 
+    > {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
 
-7. Click ‘OK’.
+1. Click 'OK'.
 
-8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs.
 
     > [!IMPORTANT]
     > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
 
-9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
+1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it. This policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
 
     ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
 
-10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
 
-11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
 
-12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
+1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation—`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
 
     ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
 
-13. Click ‘OK’.
+1. Click 'OK'.
 
-14. Click ‘Apply’ on the bottom right of the policy’s window.
+1. Click 'Apply' on the bottom right of the policy's window.
 
-15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’.
+1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'.
 
 ### Testing the scenario
 

windows/client-management/client-tools/manage-settings-app-with-group-policy.md

@@ -0,0 +1,44 @@
+---
+title: Manage the Settings app with Group Policy
+description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.date: 04/13/2023
+ms.reviewer:
+manager: aaroncz
+ms.author: vinpa
+ms.topic: article
+ms.technology: itpro-manage
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
+---
+
+# Manage the Settings app with Group Policy
+
+You can manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users.
+
+> [!NOTE]
+> To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. Each server that you want to manage access to the Settings App must be patched.
+
+If your organization uses the [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for Group Policy management, to manage the policies, copy the ControlPanel.admx and ControlPanel.adml file to PolicyDefinitions folder.
+
+This policy is available for both User and Computer configurations.
+
+- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
+- **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
+
+![Settings page visibility policy.](images/settings-page-visibility-gp.png)
+
+## Configuring the Group Policy
+
+The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
+
+> [!IMPORTANT]
+> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
+
+For example:
+
+- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
+- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.

windows/client-management/client-tools/mandatory-user-profile.md

@@ -1,46 +1,44 @@
 ---
-title: Create mandatory user profiles (Windows 10 and Windows 11)
+title: Create mandatory user profiles
 description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.date: 09/14/2021
+ms.date: 04/11/2023
 ms.reviewer:
 manager: aaroncz
 ms.topic: article
 ms.collection:
-  - highpri
-  - tier2
+- highpri
+- tier2
 ms.technology: itpro-manage
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Create mandatory user profiles
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
+A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
 
 Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
 
 When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
 
-User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
+User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
 
 ## Profile extension for each Windows version
 
 The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
 
-| Client operating system version | Server operating system version | Profile extension |
-| --- | --- | --- |
-| Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none |
-| Windows Vista</br>Windows 7 | Windows Server 2008 </br>Windows Server 2008 R2 | v2 |
-| Windows 8 | Windows Server 2012 | v3 |
-| Windows 8.1 | Windows Server 2012 R2 | v4 |
-| Windows 10, versions 1507 and 1511 | N/A | v5 |
-| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 |  Windows Server 2016 and Windows Server 2019 | v6 |
+| Client operating system version     | Server operating system version                 | Profile extension |
+|-------------------------------------|-------------------------------------------------|-------------------|
+| Windows XP                          | Windows Server 2003 </br>Windows Server 2003 R2 | none              |
+| Windows Vista</br>Windows 7         | Windows Server 2008 </br>Windows Server 2008 R2 | v2                |
+| Windows 8                           | Windows Server 2012                             | v3                |
+| Windows 8.1                         | Windows Server 2012 R2                          | v4                |
+| Windows 10, versions 1507 and 1511  | N/A                                             | v5                |
+| Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019     | v6                |
 
 For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning).
 
@@ -50,33 +48,33 @@ First, you create a default user profile with the customizations that you want,
 
 ### How to create a default user profile
 
-1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
+1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account.
 
    > [!NOTE]
-   > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
+   > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
 
 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
 
    > [!NOTE]
    > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
 
-1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
+1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
 
-1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10).
+1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
 
    > [!NOTE]
    > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
 
 1. At a command prompt, type the following command and press **ENTER**.
 
-   ```console
+   ```cmd
    sysprep /oobe /reboot /generalize /unattend:unattend.xml
    ```
 
-   (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
+   (Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.)
 
    > [!TIP]
-   > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
+   > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following:
    >
    > ![Microsoft Bing Translator package error.](images/sysprep-error.png)
    >
@@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want,
 
 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
 
-
    ![Example of User Profiles UI.](images/copy-to.png)
 
 1. In **Copy To**, under **Permitted to use**, click **Change**.
@@ -97,7 +94,7 @@ First, you create a default user profile with the customizations that you want,
 
 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
 
-1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
+1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later.
 
    - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
 
@@ -105,8 +102,6 @@ First, you create a default user profile with the customizations that you want,
 
    - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
 
-     ![Example of Copy To UI with UNC path.](images/copy-to-path.png)
-
 1. Click **OK** to copy the default user profile.
 
 ### How to make the user profile mandatory
@@ -118,6 +113,13 @@ First, you create a default user profile with the customizations that you want,
 
 1. Rename `Ntuser.dat` to `Ntuser.man`.
 
+### Verify the correct owner for the mandatory profile folders
+
+1. Open the properties of the "profile.v6" folder.
+1. Select the **Security** tab and then select **Advanced**.
+1. Verify the **Owner** of the folder. It must be the builtin **Administrators** group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server.
+1. When you set the owner, select **Replace owner on subcontainers and objects** before you click OK.
+
 ## Apply a mandatory user profile to users
 
 In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.
@@ -130,7 +132,7 @@ In a domain, you modify properties for the user account to point to the mandator
 
 1. Right-click the user name and open **Properties**.
 
-1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile.
+1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`.
 
 1. Click **OK**.
 
@@ -138,16 +140,16 @@ It may take some time for this change to replicate to all domain controllers.
 
 ## Apply policies to improve sign-in time
 
-When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
+When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table.
 
-| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
-| --- | --- | --- | --- | --- |
-| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
-| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
-| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
+| Group Policy setting                                                                                                                          | Windows 10 | Windows Server 2016 |
+|-----------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:-------------------:|
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled                              | ✅         | ✅                 |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled                                | ✅         | ✅                 |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅         | ❌                 |
 
 > [!NOTE]
-> The Group Policy settings above can be applied in Windows 10 Professional edition.
+> The Group Policy settings above can be applied in Windows Professional edition.
 
 ## Related topics
 

windows/client-management/client-tools/quick-assist.md

@@ -1,6 +1,7 @@
 ---
 title: Use Quick Assist to help users
 description: Learn how IT Pros can use Quick Assist to help users.
+ms.date: 04/11/2023
 ms.prod: windows-client
 ms.topic: article
 ms.technology: itpro-manage
@@ -10,12 +11,11 @@ ms.author: vinpa
 manager: aaroncz
 ms.reviewer: pmadrigal
 appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ms.collection:
-  - highpri
-  - tier1
-ms.date: 03/06/2023
+- highpri
+- tier1
 ---
 
 # Use Quick Assist to help users
@@ -26,9 +26,6 @@ Quick Assist is a Microsoft Store application that enables a person to share the
 
 All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
 
-> [!IMPORTANT]
-> Quick Assist is not available in the Azure Government cloud.
-
 ### Authentication
 
 The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.