Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into comcontrol-7790977

.openpublishing.redirection.json

@@ -20809,6 +20809,11 @@
       "source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
       "redirect_url": "/microsoft-store",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/index.md",
+      "redirect_url": "/windows/security/encryption-data-protection",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/federated-sign-in.md

@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 04/11/2023
+ms.date: 04/24/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -53,9 +53,11 @@ To use federated sign-in, the devices must have Internet access. This feature wo
 > - provisioning packages (PPKG)
 > - Windows Autopilot self-deploying mode
 
-### System requirements
+[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
 
-Federated sign-in is supported on the following Windows SKUs and versions:
+## System requirements
+
+Federated sign-in is supported on the following Windows editions and versions:
 
 - Windows 11 SE, version 22H2 and later
 - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]

includes/intune/intune-custom-settings-1.md

@@ -0,0 +1,13 @@
+---
+ms.date: 02/22/2022
+ms.topic: include
+---
+
+To configure devices with Microsoft Intune, use a custom policy:
+
+1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
+2. Select **Devices > Configuration profiles > Create profile**
+3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
+4. Select **Create**
+5. Specify a **Name** and, optionally, a **Description > Next**
+6. Add the following settings:

includes/intune/intune-custom-settings-2.md

@@ -0,0 +1,9 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+7. Select **Next**
+8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
+9. Under **Applicability Rules**, select **Next**
+10. Review the policy configuration and select **Create**

includes/intune/intune-custom-settings-info.md

@@ -0,0 +1,6 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).

includes/licensing/_edition-requirements.md

@@ -0,0 +1,79 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
+|:---|:---:|:---:|:---:|:---:|
+|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
+|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
+|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
+|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
+|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
+|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
+|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
+|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|
+|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|
+|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/deployedge/microsoft-edge-security-windows-defender-application-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
+|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
+|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
+|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
+|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
+|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
+|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
+|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
+|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
+|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
+|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
+|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
+|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
+|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
+|**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
+|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|
+|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
+|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
+|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
+|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
+|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
+|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
+|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
+|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|

includes/licensing/_licensing-requirements.md

@@ -0,0 +1,79 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---|:---:|:---:|:---:|:---:|:---:|
+|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
+|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
+|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
+|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
+|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|Yes|
+|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
+|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/deployedge/microsoft-edge-security-windows-defender-application-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
+|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
+|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
+|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
+|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
+|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
+|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
+|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
+|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
+|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
+|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|

includes/licensing/access-control-aclsscals.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Access Control (ACLs/SCALS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Access Control (ACLs/SCALS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/account-lockout-policy.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Account Lockout Policy:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Account Lockout Policy license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/always-on-vpn-device-tunnel.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Always On VPN (device tunnel):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Always On VPN (device tunnel) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/assigned-access-kiosk-mode.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Assigned Access (kiosk mode):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Assigned Access (kiosk mode) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/attack-surface-reduction-asr.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Attack surface reduction (ASR):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Attack surface reduction (ASR) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/bitlocker.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support BitLocker:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+BitLocker license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/bluetooth-pairing-and-connection-protection.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Bluetooth pairing and connection protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Bluetooth pairing and connection protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/common-criteria-certifications.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Common Criteria certifications:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Common Criteria certifications license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/controlled-folder-access.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Controlled folder access:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Controlled folder access license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/device-health-attestation-service.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Device health attestation service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Device health attestation service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/direct-access.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Direct Access:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Direct Access license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/email-encryption-smime.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Email Encryption (S/MIME):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Email Encryption (S/MIME) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/encrypted-hard-drive.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Encrypted hard drive:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Encrypted hard drive license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/enhanced-phishing-protection-with-smartscreen.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Enhanced phishing protection with SmartScreen:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Enhanced phishing protection with SmartScreen license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/exploit-protection.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Exploit protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Exploit protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/fast-identity-online-fido2-security-key.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/federal-information-processing-standard-fips-140-validation.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Federal Information Processing Standard (FIPS) 140 validation:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Federal Information Processing Standard (FIPS) 140 validation license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/federated-sign-in.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Federated sign-in:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|No|Yes|Yes|
+
+Federated sign-in license entitlements are granted by the following licenses:
+
+|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|No|No|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/hardware-enforced-stack-protection.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Hardware-enforced stack protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Hardware-enforced stack protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/hypervisor-protected-code-integrity-hvci.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Hypervisor-protected Code Integrity (HVCI):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Hypervisor-protected Code Integrity (HVCI) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/kernel-direct-memory-access-dma-protection.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Kernel Direct Memory Access (DMA) protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Kernel Direct Memory Access (DMA) protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/local-security-authority-lsa-protection.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Local Security Authority (LSA) Protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Local Security Authority (LSA) Protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Manage by Mobile Device Management (MDM) and group policy:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Manage by Mobile Device Management (MDM) and group policy license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/measured-boot.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Measured boot:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Measured boot license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-antivirus.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Antivirus:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender Antivirus license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) configure via MDM:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) configure via MDM license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge standalone mode:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender Application Guard (MDAG) for Edge standalone mode license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Microsoft Office:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) for Microsoft Office license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|No|No|No|No|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) public APIs:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) public APIs license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-for-endpoint.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender for Endpoint:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender for Endpoint license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|No|Yes|No|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-defender-smartscreen.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender SmartScreen:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender SmartScreen license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-pluton-security-processor.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Pluton security processor:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Pluton security processor license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/microsoft-vulnerable-driver-blocklist.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Vulnerable Driver Blocklist:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Vulnerable Driver Blocklist license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/opportunistic-wireless-encryption-owe.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Opportunistic Wireless Encryption (OWE):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Opportunistic Wireless Encryption (OWE) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/personal-data-encryption-pde.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Personal data encryption (PDE):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Personal data encryption (PDE) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/privacy-resource-usage.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Privacy Resource Usage:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Privacy Resource Usage license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/privacy-transparency-and-controls.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Privacy Transparency and Controls:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Privacy Transparency and Controls license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/remote-wipe.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Remote wipe:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Remote wipe license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/secure-boot-and-trusted-boot.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Secure Boot and Trusted Boot:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Secure Boot and Trusted Boot license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/secured-core-configuration-lock.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Secured-core configuration lock:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Secured-core configuration lock license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/secured-core-pc.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Secured-core PC:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Secured-core PC license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/security-baselines.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Security baselines:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Security baselines license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/server-message-block-direct-smb-direct.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Server Message Block Direct (SMB Direct):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Server Message Block Direct (SMB Direct) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/server-message-block-smb-file-service.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Server Message Block (SMB) file service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Server Message Block (SMB) file service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/smart-app-control.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Smart App Control:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Smart App Control license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/smart-cards-for-windows-service.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Smart Cards for Windows Service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Smart Cards for Windows Service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/tamper-protection-settings-for-mde.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Tamper protection settings for MDE:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Tamper protection settings for MDE license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/transport-layer-security-tls.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Transport layer security (TLS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Transport layer security (TLS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/trusted-platform-module-tpm-20.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Trusted Platform Module (TPM) 2.0:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Trusted Platform Module (TPM) 2.0 license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/universal-print.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Universal Print:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Universal Print license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/user-account-control-uac.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support User Account Control (UAC):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+User Account Control (UAC) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/virtual-private-network-vpn.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Virtual Private Network (VPN):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Virtual Private Network (VPN) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/virtualization-based-security-vbs.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Virtualization-based security (VBS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Virtualization-based security (VBS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/wifi-security.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support WiFi Security:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+WiFi Security license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-autopatch.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Autopatch:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Windows Autopatch license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|No|No|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-autopilot.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Autopilot:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Autopilot license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-containers.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows containers:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows containers license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-defender-application-control-wdac.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-defender-credential-guard.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender Credential Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Windows Defender Credential Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-defender-remote-credential-guard.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender Remote Credential Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Defender Remote Credential Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-defender-system-guard.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender System Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Defender System Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-firewall.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Firewall:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Firewall license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Hello for Business Enhanced Security Sign-in (ESS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Hello for Business Enhanced Security Sign-in (ESS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-hello-for-business.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Hello for Business:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Hello for Business license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-laps.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows LAPS:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows LAPS license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-presence-sensing.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows presence sensing:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows presence sensing license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-sandbox.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Sandbox:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Sandbox license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-security-policy-settings-and-auditing.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Security policy settings and auditing:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Security policy settings and auditing license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

windows/client-management/config-lock.md

@@ -26,11 +26,9 @@ To summarize, config lock:
 
 ## Configuration Flow
 
-After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
 
-## System Requirements
-
-Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
+[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)]
 
 ## Enabling config lock using Microsoft Intune
 

windows/client-management/mdm-overview.md

@@ -56,6 +56,8 @@ For more information about the MDM policies defined in the MDM security baseline
 
 For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
 
+[!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)]
+
 ## Frequently Asked Questions
 
 ### Can there be more than one MDM server to enroll and manage devices in Windows?

windows/client-management/mdm/bitlocker-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -21,6 +21,9 @@ ms.topic: reference
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
 <!-- BitLocker-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
@@ -40,6 +43,7 @@ The following list shows the BitLocker configuration service provider nodes:
 
 - ./Device/Vendor/MSFT/BitLocker
   - [AllowStandardUserEncryption](#allowstandarduserencryption)
+  - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection)
   - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
   - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
   - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
@@ -149,6 +153,63 @@ To disable this policy, use the following SyncML:
 
 <!-- Device-AllowStandardUserEncryption-End -->
 
+<!-- Device-AllowSuspensionOfBitLockerProtection-Begin -->
+## AllowSuspensionOfBitLockerProtection
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection
+```
+<!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
+
+> [!WARNING]
+> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
+
+The expected values for this policy are:
+
+0 = Prevent BitLocker Drive Encryption protection from being suspended.
+1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
+<!-- Device-AllowSuspensionOfBitLockerProtection-Description-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-AllowSuspensionOfBitLockerProtection-Editable-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
+| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. |
+<!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-AllowSuspensionOfBitLockerProtection-Examples-End -->
+
+<!-- Device-AllowSuspensionOfBitLockerProtection-End -->
+
 <!-- Device-AllowWarningForOtherDiskEncryption-Begin -->
 ## AllowWarningForOtherDiskEncryption
 

windows/client-management/mdm/bitlocker-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -772,6 +772,52 @@ Supported Values: String form of request ID. Example format of request ID is GUI
         </MSFT:Applicability>
       </DFProperties>
     </Node>
+    <Node>
+      <NodeName>AllowSuspensionOfBitLockerProtection</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>1</DefaultValue>
+        <Description>This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
+                         Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
+                         The format is integer.
+                         The expected values for this policy are:
+
+                         0 = Prevent BitLocker Drive Encryption protection from being suspended.
+                         1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
+                         </Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>9.9</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Prevent BitLocker Drive Encryption protection from being suspended.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
     <Node>
       <NodeName>Status</NodeName>
       <DFProperties>

windows/client-management/mdm/defender-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -63,6 +63,7 @@ The following list shows the Defender configuration service provider nodes:
     - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
     - [IntelTDTEnabled](#configurationinteltdtenabled)
     - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
+    - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
     - [PassiveRemediation](#configurationpassiveremediation)
     - [PlatformUpdatesChannel](#configurationplatformupdateschannel)
     - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
@@ -1808,6 +1809,55 @@ Allow managed devices to update through metered connections. Default is 0 - not
 
 <!-- Device-Configuration-MeteredConnectionUpdates-End -->
 
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Begin -->
+### Configuration/OobeEnableRtpAndSigUpdate
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Applicability-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate
+```
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-OmaUri-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Description-Begin -->
+<!-- Description-Source-DDF -->
+This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience).
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Description-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Editable-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-DFProperties-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. |
+| 0 (Default) | If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. |
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-AllowedValues-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Examples-End -->
+
+<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-End -->
+
 <!-- Device-Configuration-PassiveRemediation-Begin -->
 ### Configuration/PassiveRemediation
 
@@ -2212,6 +2262,8 @@ Tamper protection helps protect important security features from unwanted change
 
 <!-- Device-Configuration-TamperProtection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- Device-Configuration-TamperProtection-Editable-End -->
 
 <!-- Device-Configuration-TamperProtection-DFProperties-Begin -->
@@ -2481,7 +2533,7 @@ Information about the current status of the threat. The following list shows the
 | 7 | Removed |
 | 8 | Cleaned |
 | 9 | Allowed |
-| 10 | No Status (Cleared) |
+| 10 | No Status ( Cleared) |
 <!-- Device-Detections-{ThreatId}-CurrentStatus-Description-End -->
 
 <!-- Device-Detections-{ThreatId}-CurrentStatus-Editable-Begin -->
@@ -3676,7 +3728,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher
 
 <!-- Device-RollbackEngine-Description-Begin -->
 <!-- Description-Source-DDF -->
-RollbackEngine action rolls back Microsoft Defender engine to its last known good saved version on the computer where you run the command.
+RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
 <!-- Device-RollbackEngine-Description-End -->
 
 <!-- Device-RollbackEngine-Editable-Begin -->
@@ -3828,6 +3880,8 @@ Node that can be used to perform signature updates for Windows Defender.
 
 <!-- Defender-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Links -->
+[TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
 <!-- Defender-CspMoreInfo-End -->
 
 <!-- Defender-End -->

windows/client-management/mdm/defender-ddf.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1920,6 +1920,45 @@ The following XML file contains the device description framework (DDF) for the D
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
+      <Node>
+        <NodeName>OobeEnableRtpAndSigUpdate</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience).</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
       <Node>
         <NodeName>ThrottleForScheduledScanOnly</NodeName>
         <DFProperties>

windows/client-management/mdm/devicepreparation-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -31,6 +31,7 @@ The following list shows the DevicePreparation configuration service provider no
     - [ClassID](#bootstrapperagentclassid)
     - [ExecutionContext](#bootstrapperagentexecutioncontext)
     - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
+  - [MdmAgentInstalled](#mdmagentinstalled)
   - [MDMProvider](#mdmprovider)
     - [Progress](#mdmproviderprogress)
   - [PageEnabled](#pageenabled)
@@ -194,6 +195,46 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age
 
 <!-- Device-BootstrapperAgent-InstallationStatusUri-End -->
 
+<!-- Device-MdmAgentInstalled-Begin -->
+## MdmAgentInstalled
+
+<!-- Device-MdmAgentInstalled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- Device-MdmAgentInstalled-Applicability-End -->
+
+<!-- Device-MdmAgentInstalled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled
+```
+<!-- Device-MdmAgentInstalled-OmaUri-End -->
+
+<!-- Device-MdmAgentInstalled-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
+<!-- Device-MdmAgentInstalled-Description-End -->
+
+<!-- Device-MdmAgentInstalled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-MdmAgentInstalled-Editable-End -->
+
+<!-- Device-MdmAgentInstalled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value  | false |
+<!-- Device-MdmAgentInstalled-DFProperties-End -->
+
+<!-- Device-MdmAgentInstalled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-MdmAgentInstalled-Examples-End -->
+
+<!-- Device-MdmAgentInstalled-End -->
+
 <!-- Device-MDMProvider-Begin -->
 ## MDMProvider
 

windows/client-management/mdm/devicepreparation-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -286,6 +286,29 @@ The following XML file contains the device description framework (DDF) for the D
         </DFProperties>
       </Node>
     </Node>
+    <Node>
+      <NodeName>MdmAgentInstalled</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>false</DefaultValue>
+        <Description>This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.</Description>
+        <DFFormat>
+          <bool />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+      </DFProperties>
+    </Node>
   </Node>
 </MgmtTree>
 ```

windows/client-management/mdm/dmclient-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 02/28/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -16,6 +16,9 @@ ms.topic: reference
 <!-- DMClient-Begin -->
 # DMClient CSP
 
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
 <!-- DMClient-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
@@ -37,6 +40,10 @@ The following list shows the DMClient configuration service provider nodes:
         - [Lock](#deviceproviderprovideridconfiglocklock)
         - [SecureCore](#deviceproviderprovideridconfiglocksecurecore)
         - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration)
+      - [ConfigRefresh](#deviceproviderprovideridconfigrefresh)
+        - [Cadence](#deviceproviderprovideridconfigrefreshcadence)
+        - [Enabled](#deviceproviderprovideridconfigrefreshenabled)
+        - [PausePeriod](#deviceproviderprovideridconfigrefreshpauseperiod)
       - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage)
         - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext)
         - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref)
@@ -624,6 +631,176 @@ This node, when it is set, tells the client to set how many minutes the device s
 
 <!-- Device-Provider-{ProviderID}-ConfigLock-UnlockDuration-End -->
 
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Begin -->
+#### Device/Provider/{ProviderID}/ConfigRefresh
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Applicability-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh
+```
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-OmaUri-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Description-Begin -->
+<!-- Description-Source-DDF -->
+Parent node for ConfigRefresh nodes.
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Description-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Editable-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-DFProperties-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Examples-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Begin -->
+##### Device/Provider/{ProviderID}/ConfigRefresh/Cadence
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Applicability-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence
+```
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-OmaUri-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node determines the number of minutes between refreshes.
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Description-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Editable-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[30-1440]` |
+| Default Value  | 90 |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-DFProperties-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Examples-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Begin -->
+##### Device/Provider/{ProviderID}/ConfigRefresh/Enabled
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Applicability-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled
+```
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-OmaUri-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node determines whether or not a periodic settings refresh for MDM policies will occur.
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Description-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Editable-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | false |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-DFProperties-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | ConfigRefresh is enabled. |
+| false (Default) | ConfigRefresh is disabled. |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-AllowedValues-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Examples-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Begin -->
+##### Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Applicability-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod
+```
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-OmaUri-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node determines the number of minutes ConfigRefresh should be paused for.
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Description-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Editable-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1440]` |
+| Default Value  | 0 |
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-DFProperties-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Examples-End -->
+
+<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-End -->
+
 <!-- Device-Provider-{ProviderID}-CustomEnrollmentCompletePage-Begin -->
 #### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage
 

windows/client-management/mdm/dmclient-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 02/24/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2947,6 +2947,125 @@ The following XML file contains the device description framework (DDF) for the D
             </DFProperties>
           </Node>
         </Node>
+        <Node>
+          <NodeName>ConfigRefresh</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+            </AccessType>
+            <Description>Parent node for ConfigRefresh nodes</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+            <MSFT:Applicability>
+              <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+              <MSFT:CspVersion>1.6</MSFT:CspVersion>
+            </MSFT:Applicability>
+          </DFProperties>
+          <Node>
+            <NodeName>Enabled</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DefaultValue>false</DefaultValue>
+              <Description>This node determines whether or not a periodic settings refresh for MDM policies will occur.</Description>
+              <DFFormat>
+                <bool />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="ENUM">
+                <MSFT:Enum>
+                  <MSFT:Value>true</MSFT:Value>
+                  <MSFT:ValueDescription>ConfigRefresh is enabled.</MSFT:ValueDescription>
+                </MSFT:Enum>
+                <MSFT:Enum>
+                  <MSFT:Value>false</MSFT:Value>
+                  <MSFT:ValueDescription>ConfigRefresh is disabled.</MSFT:ValueDescription>
+                </MSFT:Enum>
+              </MSFT:AllowedValues>
+              <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Cadence</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DefaultValue>90</DefaultValue>
+              <Description>This node determines the number of minutes between refreshes.</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="Range">
+                <MSFT:Value>[30-1440]</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>PausePeriod</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DefaultValue>0</DefaultValue>
+              <Description>This node determines the number of minutes ConfigRefresh should be paused for.</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="Range">
+                <MSFT:Value>[0-1440]</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
+        </Node>
       </Node>
     </Node>
     <Node>

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the EnterpriseModernAppManagement CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 02/28/2023
+ms.date: 04/26/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,6 +17,7 @@ ms.topic: reference
 # EnterpriseModernAppManagement CSP
 
 <!-- EnterpriseModernAppManagement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md).
 
 > [!NOTE]
@@ -273,6 +274,7 @@ Used to perform app installation.
 <!-- Device-AppInstallation-Description-End -->
 
 <!-- Device-AppInstallation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppInstallation-Editable-End -->
 
@@ -312,6 +314,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- Device-AppInstallation-{PackageFamilyName}-Description-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is an optional node.
 
 > [!NOTE]
@@ -329,6 +332,7 @@ This is an optional node.
 <!-- Device-AppInstallation-{PackageFamilyName}-DFProperties-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example for uninstalling an app:
@@ -374,6 +378,7 @@ Command to perform an install of an app package from a hosted location (this can
 <!-- Device-AppInstallation-{PackageFamilyName}-HostedInstall-Description-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-HostedInstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. The following list shows the supported deployment options:
 
 - ForceApplicationShutdown
@@ -424,6 +429,7 @@ Last error relating to the app installation.
 <!-- Device-AppInstallation-{PackageFamilyName}-LastError-Description-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-LastError-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- Device-AppInstallation-{PackageFamilyName}-LastError-Editable-End -->
@@ -464,6 +470,7 @@ Description of last error relating to the app installation.
 <!-- Device-AppInstallation-{PackageFamilyName}-LastErrorDesc-Description-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-LastErrorDesc-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- Device-AppInstallation-{PackageFamilyName}-LastErrorDesc-Editable-End -->
@@ -504,6 +511,7 @@ An integer the indicates the progress of the app installation. For https locatio
 <!-- Device-AppInstallation-{PackageFamilyName}-ProgressStatus-Description-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-ProgressStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- Device-AppInstallation-{PackageFamilyName}-ProgressStatus-Editable-End -->
@@ -544,6 +552,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0)
 <!-- Device-AppInstallation-{PackageFamilyName}-Status-Description-End -->
 
 <!-- Device-AppInstallation-{PackageFamilyName}-Status-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- Device-AppInstallation-{PackageFamilyName}-Status-Editable-End -->
@@ -662,6 +671,7 @@ Used to manage licenses for store apps.
 <!-- Device-AppLicenses-StoreLicenses-Description-End -->
 
 <!-- Device-AppLicenses-StoreLicenses-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppLicenses-StoreLicenses-Editable-End -->
 
@@ -701,6 +711,7 @@ License ID for a store installed app. The license ID is generally the PFN of the
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-Description-End -->
 
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is an optional node.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-Editable-End -->
 
@@ -741,6 +752,7 @@ Command to add license.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-AddLicense-Description-End -->
 
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-AddLicense-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-AddLicense-Editable-End -->
 
@@ -780,6 +792,7 @@ Command to get license from the store.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-GetLicenseFromStore-Description-End -->
 
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-GetLicenseFromStore-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppLicenses-StoreLicenses-{LicenseID}-GetLicenseFromStore-Editable-End -->
 
@@ -936,6 +949,7 @@ Used for inventory and app management (post-install).
 <!-- Device-AppManagement-Description-End -->
 
 <!-- Device-AppManagement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-Editable-End -->
 
@@ -975,6 +989,7 @@ Specifies the query for app inventory.
 <!-- Device-AppManagement-AppInventoryQuery-Description-End -->
 
 <!-- Device-AppManagement-AppInventoryQuery-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Query parameters:
 
 - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are:
@@ -1016,6 +1031,7 @@ This is a required node. Query parameters:
 <!-- Device-AppManagement-AppInventoryQuery-DFProperties-End -->
 
 <!-- Device-AppManagement-AppInventoryQuery-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
@@ -1057,6 +1073,7 @@ Returns the results for app inventory that was created after the AppInventoryQue
 <!-- Device-AppManagement-AppInventoryResults-Description-End -->
 
 <!-- Device-AppManagement-AppInventoryResults-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-AppInventoryResults-Editable-End -->
 
@@ -1070,6 +1087,7 @@ This is a required node.
 <!-- Device-AppManagement-AppInventoryResults-DFProperties-End -->
 
 <!-- Device-AppManagement-AppInventoryResults-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example of AppInventoryResults operation.
@@ -1108,6 +1126,7 @@ Here's an example of AppInventoryResults operation.
 <!-- Device-AppManagement-AppStore-Description-End -->
 
 <!-- Device-AppManagement-AppStore-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Used for managing apps from the Microsoft Store.
 <!-- Device-AppManagement-AppStore-Editable-End -->
 
@@ -1147,6 +1166,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-Editable-End -->
@@ -1162,6 +1182,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-DFProperties-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example for uninstalling an app:
@@ -1247,6 +1268,7 @@ Architecture of installed package. Value type is string.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Architecture-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-End -->
@@ -1287,6 +1309,7 @@ Date the app was installed. Value type is string.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-End -->
 
@@ -1326,6 +1349,7 @@ Install location of the app on the device. Value type is string.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-End -->
@@ -1405,6 +1429,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-End -->
@@ -1484,6 +1509,7 @@ This node is used to identify whether the package is a stub package. A stub pack
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsStub-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The value is 1 if the package is a stub package and 0 (zero) for all other cases.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-End -->
 
@@ -1562,6 +1588,7 @@ Provides information about the status of the package. Value type is int. Valid v
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-End -->
@@ -1641,6 +1668,7 @@ Specifies whether the package state has changed and requires a reinstallation of
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 > [!NOTE]
@@ -1683,6 +1711,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-End -->
@@ -1723,6 +1752,7 @@ Registered users of the app and the package install state. If the query is at th
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Users-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Users-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Possible values:
 
 - 0 = Not Installed
@@ -1806,6 +1836,7 @@ Specifies whether you want to block a specific app from being updated via auto-u
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-DoNotUpdate-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-DoNotUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-DoNotUpdate-Editable-End -->
 
@@ -1854,6 +1885,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
 
 | Applicability Setting | CSP state      | Result               |
@@ -1909,6 +1941,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-NonRemovable-Description-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-NonRemovable-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-NonRemovable-Editable-End -->
 
@@ -1931,6 +1964,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-NonRemovable-AllowedValues-End -->
 
 <!-- Device-AppManagement-AppStore-{PackageFamilyName}-NonRemovable-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Examples**:
 
 - Add an app to the nonremovable app policy list
@@ -2019,6 +2053,7 @@ Interior node for the managing updates through the Microsoft Store. These settin
 <!-- Device-AppManagement-AppStore-ReleaseManagement-Description-End -->
 
 <!-- Device-AppManagement-AppStore-ReleaseManagement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > ReleaseManagement settings only apply to updates through the Microsoft Store.
 <!-- Device-AppManagement-AppStore-ReleaseManagement-Editable-End -->
@@ -2294,6 +2329,7 @@ Reports the last error code returned by the update scan.
 <!-- Device-AppManagement-LastScanError-Description-End -->
 
 <!-- Device-AppManagement-LastScanError-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-LastScanError-Editable-End -->
 
@@ -2332,6 +2368,7 @@ This is a required node.
 <!-- Device-AppManagement-nonStore-Description-End -->
 
 <!-- Device-AppManagement-nonStore-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
 <!-- Device-AppManagement-nonStore-Editable-End -->
 
@@ -2371,6 +2408,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-Editable-End -->
@@ -2386,6 +2424,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-DFProperties-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example for uninstalling an app:
@@ -2471,6 +2510,7 @@ Architecture of installed package. Value type is string.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Architecture-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-End -->
@@ -2511,6 +2551,7 @@ Date the app was installed. Value type is string.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-End -->
 
@@ -2550,6 +2591,7 @@ Install location of the app on the device. Value type is string.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-End -->
@@ -2629,6 +2671,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-End -->
@@ -2708,6 +2751,7 @@ This node is used to identify whether the package is a stub package. A stub pack
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsStub-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The value is 1 if the package is a stub package and 0 (zero) for all other cases.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-End -->
 
@@ -2786,6 +2830,7 @@ Provides information about the status of the package. Value type is int. Valid v
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-End -->
@@ -2865,6 +2910,7 @@ Specifies whether the package state has changed and requires a reinstallation of
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 > [!NOTE]
@@ -2907,6 +2953,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-End -->
@@ -2947,6 +2994,7 @@ Registered users of the app and the package install state. If the query is at th
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Users-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Users-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Possible values:
 
 - 0 = Not Installed
@@ -3030,6 +3078,7 @@ Specifies whether you want to block a specific app from being updated via auto-u
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-DoNotUpdate-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-DoNotUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-DoNotUpdate-Editable-End -->
 
@@ -3078,6 +3127,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
 
 | Applicability Setting | CSP state      | Result               |
@@ -3133,6 +3183,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-NonRemovable-Description-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-NonRemovable-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-NonRemovable-Editable-End -->
 
@@ -3155,6 +3206,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-NonRemovable-AllowedValues-End -->
 
 <!-- Device-AppManagement-nonStore-{PackageFamilyName}-NonRemovable-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Examples**:
 
 - Add an app to the nonremovable app policy list
@@ -3555,6 +3607,7 @@ Used to restore the Windows app to its initial configuration.
 <!-- Device-AppManagement-System-Description-End -->
 
 <!-- Device-AppManagement-System-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Reports apps installed as part of the operating system.
 <!-- Device-AppManagement-System-Editable-End -->
 
@@ -3594,6 +3647,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- Device-AppManagement-System-{PackageFamilyName}-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- Device-AppManagement-System-{PackageFamilyName}-Editable-End -->
@@ -3675,6 +3729,7 @@ Architecture of installed package. Value type is string.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Architecture-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-End -->
@@ -3715,6 +3770,7 @@ Date the app was installed. Value type is string.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallDate-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-End -->
 
@@ -3754,6 +3810,7 @@ Install location of the app on the device. Value type is string.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallLocation-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-End -->
@@ -3833,6 +3890,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsFramework-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-End -->
@@ -3912,6 +3970,7 @@ This node is used to identify whether the package is a stub package. A stub pack
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsStub-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The value is 1 if the package is a stub package and 0 (zero) for all other cases.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-End -->
 
@@ -3990,6 +4049,7 @@ Provides information about the status of the package. Value type is int. Valid v
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-PackageStatus-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-End -->
@@ -4069,6 +4129,7 @@ Specifies whether the package state has changed and requires a reinstallation of
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 > [!NOTE]
@@ -4111,6 +4172,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-ResourceID-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-End -->
@@ -4151,6 +4213,7 @@ Registered users of the app and the package install state. If the query is at th
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Users-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Users-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 - 0 = Not Installed
@@ -4766,6 +4829,7 @@ Specifies whether you want to block a specific app from being updated via auto-u
 <!-- Device-AppManagement-System-{PackageFamilyName}-DoNotUpdate-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-DoNotUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-System-{PackageFamilyName}-DoNotUpdate-Editable-End -->
 
@@ -4814,6 +4878,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the
 <!-- Device-AppManagement-System-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
 
 | Applicability Setting | CSP state      | Result               |
@@ -4869,6 +4934,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
 <!-- Device-AppManagement-System-{PackageFamilyName}-NonRemovable-Description-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-NonRemovable-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
 <!-- Device-AppManagement-System-{PackageFamilyName}-NonRemovable-Editable-End -->
 
@@ -4891,6 +4957,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev
 <!-- Device-AppManagement-System-{PackageFamilyName}-NonRemovable-AllowedValues-End -->
 
 <!-- Device-AppManagement-System-{PackageFamilyName}-NonRemovable-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Examples**:
 
 - Add an app to the nonremovable app policy list
@@ -5253,6 +5320,7 @@ Used to start the Windows Update scan.
 <!-- Device-AppManagement-UpdateScan-Description-End -->
 
 <!-- Device-AppManagement-UpdateScan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- Device-AppManagement-UpdateScan-Editable-End -->
 
@@ -5331,6 +5399,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppInstallation-{PackageFamilyName}-Description-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- User-AppInstallation-{PackageFamilyName}-Editable-End -->
@@ -5346,6 +5415,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppInstallation-{PackageFamilyName}-DFProperties-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example for uninstalling an app:
@@ -5391,6 +5461,7 @@ Command to perform an install of an app package from a hosted location (this can
 <!-- User-AppInstallation-{PackageFamilyName}-HostedInstall-Description-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-HostedInstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. The following list shows the supported deployment options:
 
 - ForceApplicationShutdown
@@ -5441,6 +5512,7 @@ Last error relating to the app installation.
 <!-- User-AppInstallation-{PackageFamilyName}-LastError-Description-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-LastError-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- User-AppInstallation-{PackageFamilyName}-LastError-Editable-End -->
@@ -5481,6 +5553,7 @@ Description of last error relating to the app installation.
 <!-- User-AppInstallation-{PackageFamilyName}-LastErrorDesc-Description-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-LastErrorDesc-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- User-AppInstallation-{PackageFamilyName}-LastErrorDesc-Editable-End -->
@@ -5521,6 +5594,7 @@ An integer the indicates the progress of the app installation. For https locatio
 <!-- User-AppInstallation-{PackageFamilyName}-ProgressStatus-Description-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-ProgressStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- User-AppInstallation-{PackageFamilyName}-ProgressStatus-Editable-End -->
@@ -5561,6 +5635,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0)
 <!-- User-AppInstallation-{PackageFamilyName}-Status-Description-End -->
 
 <!-- User-AppInstallation-{PackageFamilyName}-Status-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This element isn't present after the app is installed.
 <!-- User-AppInstallation-{PackageFamilyName}-Status-Editable-End -->
@@ -5718,6 +5793,7 @@ License ID for a store installed app. The license ID is generally the PFN of the
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-Description-End -->
 
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is an optional node.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-Editable-End -->
 
@@ -5758,6 +5834,7 @@ Command to add license.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-AddLicense-Description-End -->
 
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-AddLicense-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-AddLicense-Editable-End -->
 
@@ -5797,6 +5874,7 @@ Command to get license from the store.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-GetLicenseFromStore-Description-End -->
 
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-GetLicenseFromStore-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppLicenses-StoreLicenses-{LicenseID}-GetLicenseFromStore-Editable-End -->
 
@@ -5992,6 +6070,7 @@ Specifies the query for app inventory.
 <!-- User-AppManagement-AppInventoryQuery-Description-End -->
 
 <!-- User-AppManagement-AppInventoryQuery-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Query parameters:
 
 - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are:
@@ -6031,6 +6110,7 @@ This is a required node. Query parameters:
 <!-- User-AppManagement-AppInventoryQuery-DFProperties-End -->
 
 <!-- User-AppManagement-AppInventoryQuery-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
@@ -6072,6 +6152,7 @@ Returns the results for app inventory that was created after the AppInventoryQue
 <!-- User-AppManagement-AppInventoryResults-Description-End -->
 
 <!-- User-AppManagement-AppInventoryResults-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-AppInventoryResults-Editable-End -->
 
@@ -6085,6 +6166,7 @@ This is a required node.
 <!-- User-AppManagement-AppInventoryResults-DFProperties-End -->
 
 <!-- User-AppManagement-AppInventoryResults-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example of AppInventoryResults operation.
@@ -6123,6 +6205,7 @@ Here's an example of AppInventoryResults operation.
 <!-- User-AppManagement-AppStore-Description-End -->
 
 <!-- User-AppManagement-AppStore-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Used for managing apps from the Microsoft Store.
 <!-- User-AppManagement-AppStore-Editable-End -->
 
@@ -6162,6 +6245,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-Editable-End -->
@@ -6177,6 +6261,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-DFProperties-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 Here's an example for uninstalling an app:
@@ -6262,6 +6347,7 @@ Architecture of installed package. Value type is string.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Architecture-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-End -->
@@ -6302,6 +6388,7 @@ Date the app was installed. Value type is string.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-End -->
 
@@ -6341,6 +6428,7 @@ Install location of the app on the device. Value type is string.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-End -->
@@ -6420,6 +6508,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-End -->
@@ -6499,6 +6588,7 @@ This node is used to identify whether the package is a stub package. A stub pack
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsStub-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The value is 1 if the package is a stub package and 0 (zero) for all other cases.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-End -->
 
@@ -6577,6 +6667,7 @@ Provides information about the status of the package. Value type is int. Valid v
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-End -->
@@ -6656,6 +6747,7 @@ Specifies whether the package state has changed and requires a reinstallation of
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 > [!NOTE]
@@ -6698,6 +6790,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-End -->
@@ -6738,6 +6831,7 @@ Registered users of the app and the package install state. If the query is at th
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Users-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-{PackageFullName}-Users-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node. Possible values:
 
 - 0 = Not Installed
@@ -6821,6 +6915,7 @@ Interior node for all managed app setting values.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > This node is only supported in the user context.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-Editable-End -->
@@ -6861,6 +6956,7 @@ The SettingValue and data represent a key value pair to be configured for the ap
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This setting only works for apps that support the feature and it's only supported in the user context.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-End -->
 
@@ -6875,6 +6971,7 @@ This setting only works for apps that support the feature and it's only supporte
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-DFProperties-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Examples**:
 
 - The following example sets the value for the 'Server'
@@ -6933,6 +7030,7 @@ Specifies whether you want to block a specific app from being updated via auto-u
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-DoNotUpdate-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-DoNotUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-DoNotUpdate-Editable-End -->
 
@@ -6981,6 +7079,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
 
 |Applicability Setting |CSP state  |Result  |
@@ -7036,6 +7135,7 @@ Interior node for the managing updates through the Microsoft Store. These settin
 <!-- User-AppManagement-AppStore-ReleaseManagement-Description-End -->
 
 <!-- User-AppManagement-AppStore-ReleaseManagement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > ReleaseManagement settings only apply to updates through the Microsoft Store.
 <!-- User-AppManagement-AppStore-ReleaseManagement-Editable-End -->
@@ -7311,6 +7411,7 @@ Reports the last error code returned by the update scan.
 <!-- User-AppManagement-LastScanError-Description-End -->
 
 <!-- User-AppManagement-LastScanError-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-LastScanError-Editable-End -->
 
@@ -7349,6 +7450,7 @@ This is a required node.
 <!-- User-AppManagement-nonStore-Description-End -->
 
 <!-- User-AppManagement-nonStore-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
 <!-- User-AppManagement-nonStore-Editable-End -->
 
@@ -7388,6 +7490,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-Editable-End -->
@@ -7403,6 +7506,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-DFProperties-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
@@ -7484,6 +7588,7 @@ Architecture of installed package. Value type is string.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Architecture-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-End -->
@@ -7524,6 +7629,7 @@ Date the app was installed. Value type is string.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-End -->
 
@@ -7563,6 +7669,7 @@ Install location of the app on the device. Value type is string.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-End -->
@@ -7642,6 +7749,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-End -->
@@ -7721,6 +7829,7 @@ This node is used to identify whether the package is a stub package. A stub pack
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsStub-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The value is 1 if the package is a stub package and 0 (zero) for all other cases.
 
 Value type is int.
@@ -7801,6 +7910,7 @@ Provides information about the status of the package. Value type is int. Valid v
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-End -->
@@ -7880,6 +7990,7 @@ Specifies whether the package state has changed and requires a reinstallation of
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 > [!NOTE]
@@ -7922,6 +8033,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-End -->
@@ -7962,6 +8074,7 @@ Registered users of the app and the package install state. If the query is at th
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Users-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-{PackageFullName}-Users-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Requried.
 
 - Not Installed = 0
@@ -8045,6 +8158,7 @@ Interior node for all managed app setting values.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This node is only supported in the user context.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-Editable-End -->
 
@@ -8084,6 +8198,7 @@ The SettingValue and data represent a key value pair to be configured for the ap
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This setting only works for apps that support the feature and it's only supported in the user context.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-End -->
 
@@ -8098,6 +8213,7 @@ This setting only works for apps that support the feature and it's only supporte
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-DFProperties-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 The following example sets the value for the 'Server'
 
 ```xml
@@ -8154,6 +8270,7 @@ Specifies whether you want to block a specific app from being updated via auto-u
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-DoNotUpdate-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-DoNotUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-DoNotUpdate-Editable-End -->
 
@@ -8202,6 +8319,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
 
 | Applicability Setting | CSP state      | Result               |
@@ -8531,6 +8649,7 @@ Used to remove packages.
 <!-- User-AppManagement-RemovePackage-Description-End -->
 
 <!-- User-AppManagement-RemovePackage-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Parameters:
 
 - Package
@@ -8551,6 +8670,7 @@ Parameters:
 <!-- User-AppManagement-RemovePackage-DFProperties-End -->
 
 <!-- User-AppManagement-RemovePackage-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 The following example removes a package for all users:
@@ -8632,6 +8752,7 @@ Used to restore the Windows app to its initial configuration.
 <!-- User-AppManagement-System-Description-End -->
 
 <!-- User-AppManagement-System-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Reports apps installed as part of the operating system.
 <!-- User-AppManagement-System-Editable-End -->
 
@@ -8671,6 +8792,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppManagement-System-{PackageFamilyName}-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 <!-- User-AppManagement-System-{PackageFamilyName}-Editable-End -->
@@ -8686,6 +8808,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh
 <!-- User-AppManagement-System-{PackageFamilyName}-DFProperties-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
 ```xml
@@ -8769,6 +8892,7 @@ Architecture of installed package. Value type is string.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Architecture-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Architecture-Editable-End -->
@@ -8809,6 +8933,7 @@ Date the app was installed. Value type is string.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallDate-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallDate-Editable-End -->
 
@@ -8848,6 +8973,7 @@ Install location of the app on the device. Value type is string.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallLocation-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-InstallLocation-Editable-End -->
@@ -8927,6 +9053,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsFramework-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsFramework-Editable-End -->
@@ -9006,6 +9133,7 @@ This node is used to identify whether the package is a stub package. A stub pack
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsStub-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The value is 1 if the package is a stub package and 0 (zero) for all other cases.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-IsStub-Editable-End -->
 
@@ -9084,6 +9212,7 @@ Provides information about the status of the package. Value type is int. Valid v
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-PackageStatus-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-PackageStatus-Editable-End -->
@@ -9163,6 +9292,7 @@ Specifies whether the package state has changed and requires a reinstallation of
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-RequiresReinstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 > [!NOTE]
@@ -9205,6 +9335,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-ResourceID-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Not applicable to XAP files.
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-ResourceID-Editable-End -->
@@ -9245,6 +9376,7 @@ Registered users of the app and the package install state. If the query is at th
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Users-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-{PackageFullName}-Users-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 
 - 0 = Not Installed
@@ -9328,6 +9460,7 @@ Interior node for all managed app setting values.
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This node is only supported in the user context.
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-Editable-End -->
 
@@ -9367,6 +9500,7 @@ The SettingValue and data represent a key value pair to be configured for the ap
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This setting only works for apps that support the feature and it's only supported in the user context.
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-End -->
 
@@ -9381,6 +9515,7 @@ This setting only works for apps that support the feature and it's only supporte
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-DFProperties-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Examples**:
 
 - The following example sets the value for the 'Server'
@@ -9439,6 +9574,7 @@ Specifies whether you want to block a specific app from being updated via auto-u
 <!-- User-AppManagement-System-{PackageFamilyName}-DoNotUpdate-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-DoNotUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-System-{PackageFamilyName}-DoNotUpdate-Editable-End -->
 
@@ -9487,6 +9623,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the
 <!-- User-AppManagement-System-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-MaintainProcessorArchitectureOnUpdate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
 
 | Applicability Setting | CSP state      | Result               |
@@ -9816,6 +9953,7 @@ Used to start the Windows Update scan.
 <!-- User-AppManagement-UpdateScan-Description-End -->
 
 <!-- User-AppManagement-UpdateScan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This is a required node.
 <!-- User-AppManagement-UpdateScan-Editable-End -->
 

windows/client-management/mdm/firewall-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -16,9 +16,6 @@ ms.topic: reference
 <!-- Firewall-Begin -->
 # Firewall CSP
 
-> [!IMPORTANT]
-> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
-
 <!-- Firewall-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@@ -99,11 +96,11 @@ The following list shows the Firewall configuration service provider nodes:
     - [HyperVFirewallRules](#mdmstorehypervfirewallrules)
       - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename)
         - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction)
-          - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype)
         - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection)
         - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled)
         - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges)
         - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges)
+        - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename)
         - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority)
         - [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles)
         - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol)
@@ -111,12 +108,6 @@ The following list shows the Firewall configuration service provider nodes:
         - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges)
         - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus)
         - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid)
-    - [HyperVLoopbackRules](#mdmstorehypervloopbackrules)
-      - [{RuleName}](#mdmstorehypervloopbackrulesrulename)
-        - [DestinationVMCreatorId](#mdmstorehypervloopbackrulesrulenamedestinationvmcreatorid)
-        - [Enabled](#mdmstorehypervloopbackrulesrulenameenabled)
-        - [PortRanges](#mdmstorehypervloopbackrulesrulenameportranges)
-        - [SourceVMCreatorId](#mdmstorehypervloopbackrulesrulenamesourcevmcreatorid)
     - [HyperVVMSettings](#mdmstorehypervvmsettings)
       - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid)
         - [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge)
@@ -1791,7 +1782,7 @@ Specifies the description of the rule.
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Direction-Description-Begin -->
 <!-- Description-Source-DDF -->
-Comma separated list. The rule is enabled based on the traffic direction as following.
+The rule is enabled based on the traffic direction as following.
 
 IN - the rule applies to inbound traffic.
 OUT - the rule applies to outbound traffic.
@@ -1935,7 +1926,7 @@ If not specified - a new rule is disabled by default.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later |
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later |
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-Applicability-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-OmaUri-Begin -->
@@ -2087,6 +2078,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Description-Begin -->
 <!-- Description-Source-DDF -->
 Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Description-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Editable-Begin -->
@@ -2166,7 +2158,8 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-OmaUri-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-DDF -->
+Specifies the friendly name of the firewall rule.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Description-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Editable-Begin -->
@@ -2194,7 +2187,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 22H2 [10.0.19045.2913] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1880] and later <br> :heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1635] and later |
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Applicability-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-OmaUri-Begin -->
@@ -2205,7 +2198,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_".
+Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin -->
@@ -2431,6 +2424,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Description-Begin -->
 <!-- Description-Source-DDF -->
 Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Description-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Editable-Begin -->
@@ -3122,7 +3116,9 @@ Unique alpha numeric identifier for the rule. The rule name must not include a f
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies the action for the rule.
+Specifies the action the rule enforces:
+0 - Block
+1 - Allow.
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Description-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Editable-Begin -->
@@ -3132,68 +3128,27 @@ Specifies the action for the rule.
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-Begin -->
 **Description framework properties**:
 
-| Property name | Property value |
-|:--|:--|
-| Format | node |
-| Access Type | Get |
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Begin -->
-###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type
-```
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Description-Begin -->
-<!-- Description-Source-DDF -->
-Specifies the action the rule enforces:
-0 - Block
-1 - Allow.
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Description-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Editable-End -->
-
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-DFProperties-Begin -->
-**Description framework properties**:
-
 | Property name | Property value |
 |:--|:--|
 | Format | int |
 | Access Type | Get, Replace |
 | Default Value  | 1 |
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-DFProperties-End -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-End -->
 
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-AllowedValues-Begin -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-AllowedValues-Begin -->
 **Allowed values**:
 
 | Value | Description |
 |:--|:--|
 | 0 | Block. |
 | 1 (Default) | Allow. |
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-AllowedValues-End -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-AllowedValues-End -->
 
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Examples-Begin -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Examples-End -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-End -->
 
-<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-End -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Begin -->
 ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction
@@ -3212,7 +3167,7 @@ Specifies the action the rule enforces:
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Description-Begin -->
 <!-- Description-Source-DDF -->
-Comma separated list. The rule is enabled based on the traffic direction as following.
+The rule is enabled based on the traffic direction as following.
 
 IN - the rule applies to inbound traffic.
 OUT - the rule applies to outbound traffic.
@@ -3385,6 +3340,45 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-End -->
 
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Begin -->
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-End -->
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
+```
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-End -->
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Description-Begin -->
+<!-- Description-Source-DDF -->
+Specifies the friendly name of the Hyper-V Firewall rule.
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Description-End -->
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Editable-End -->
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-DFProperties-End -->
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Examples-End -->
+
+<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-End -->
+
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Begin -->
 ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority
 
@@ -3402,7 +3396,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Description-Begin -->
 <!-- Description-Source-DDF -->
-0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All.
+This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules.
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Description-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Editable-Begin -->
@@ -3416,7 +3410,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
 |:--|:--|
 | Format | int |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-255]` |
+| Allowed Values | Range: `[0-65535]` |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-DFProperties-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Examples-Begin -->
@@ -3679,255 +3673,6 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-End -->
 
-<!-- Device-MdmStore-HyperVLoopbackRules-Begin -->
-### MdmStore/HyperVLoopbackRules
-
-<!-- Device-MdmStore-HyperVLoopbackRules-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVLoopbackRules-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules
-```
-<!-- Device-MdmStore-HyperVLoopbackRules-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-Description-Begin -->
-<!-- Description-Source-DDF -->
-A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules.
-<!-- Device-MdmStore-HyperVLoopbackRules-Description-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-Editable-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | node |
-| Access Type | Get |
-<!-- Device-MdmStore-HyperVLoopbackRules-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-Examples-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Begin -->
-#### MdmStore/HyperVLoopbackRules/{RuleName}
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}
-```
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Description-Begin -->
-<!-- Description-Source-DDF -->
-Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Description-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Editable-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | node |
-| Access Type | Add, Delete, Get, Replace |
-| Atomic Required | True |
-| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
-| Allowed Values | Regular Expression: `^[^|/]*$` |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Examples-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Begin -->
-##### MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId
-```
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Description-Begin -->
-<!-- Description-Source-DDF -->
-This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All.
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Description-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Editable-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Examples-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Begin -->
-##### MdmStore/HyperVLoopbackRules/{RuleName}/Enabled
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/Enabled
-```
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Description-Begin -->
-<!-- Description-Source-DDF -->
-Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Description-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Editable-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | bool |
-| Access Type | Get, Replace |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Disabled. |
-| 1 | Enabled. |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-AllowedValues-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Examples-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Begin -->
-##### MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges
-```
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Description-Begin -->
-<!-- Description-Source-DDF -->
-Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Description-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Editable-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Regular Expression: `^[0-9,-]+$` |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Examples-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Begin -->
-##### MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Applicability-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-OmaUri-Begin -->
-```Device
-./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId
-```
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-OmaUri-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Description-Begin -->
-<!-- Description-Source-DDF -->
-This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All.
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Description-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Editable-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-DFProperties-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Examples-End -->
-
-<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-End -->
-
 <!-- Device-MdmStore-HyperVVMSettings-Begin -->
 ### MdmStore/HyperVVMSettings
 
@@ -4026,7 +3771,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall.
+This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Editable-Begin -->
@@ -4075,7 +3820,7 @@ This value is used as an on/off switch. If this value is true, applicable host f
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Editable-Begin -->
@@ -4125,7 +3870,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Editable-Begin -->
@@ -4213,7 +3958,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Editable-Begin -->
@@ -4263,7 +4008,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Editable-Begin -->
@@ -4313,7 +4058,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Editable-Begin -->
@@ -4363,7 +4108,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is an on/off switch for the firewall and advanced security enforcement.
+This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Editable-Begin -->
@@ -4412,7 +4157,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
+This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Editable-Begin -->
@@ -4434,8 +4179,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen
 
 | Value | Description |
 |:--|:--|
-| false | Disable Firewall. |
-| true (Default) | Enable Firewall. |
+| false | Disable Hyper-V Firewall. |
+| true (Default) | Enable Hyper-V Firewall. |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-AllowedValues-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Examples-Begin -->
@@ -4548,7 +4293,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Editable-Begin -->
@@ -4598,7 +4343,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Editable-Begin -->
@@ -4648,7 +4393,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Editable-Begin -->
@@ -4698,7 +4443,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is an on/off switch for the firewall and advanced security enforcement.
+This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Editable-Begin -->
@@ -4785,7 +4530,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Editable-Begin -->
@@ -4835,7 +4580,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Editable-Begin -->
@@ -4885,7 +4630,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
+This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Editable-Begin -->
@@ -4935,7 +4680,7 @@ This value is the action that the firewall does by default (and evaluates at the
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Description-Begin -->
 <!-- Description-Source-DDF -->
-This value is an on/off switch for the firewall and advanced security enforcement.
+This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Description-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Editable-Begin -->
@@ -4957,8 +4702,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen
 
 | Value | Description |
 |:--|:--|
-| false | Disable Firewall. |
-| true (Default) | Enable Firewall. |
+| false | Disable Hyper-V Firewall. |
+| true (Default) | Enable Hyper-V Firewall. |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-AllowedValues-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Examples-Begin -->

windows/client-management/mdm/firewall-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <Replace />
               </AccessType>
               <DefaultValue>true</DefaultValue>
-              <Description>This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
+              <Description>This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
               <DFFormat>
                 <bool />
               </DFFormat>
@@ -2871,11 +2871,11 @@ The following XML file contains the device description framework (DDF) for the F
               <MSFT:AllowedValues ValueType="ENUM">
                 <MSFT:Enum>
                   <MSFT:Value>false</MSFT:Value>
-                  <MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>Disable Hyper-V Firewall</MSFT:ValueDescription>
                 </MSFT:Enum>
                 <MSFT:Enum>
                   <MSFT:Value>true</MSFT:Value>
-                  <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                 </MSFT:Enum>
               </MSFT:AllowedValues>
             </DFProperties>
@@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <Replace />
               </AccessType>
               <DefaultValue>0</DefaultValue>
-              <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
+              <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -2918,7 +2918,7 @@ The following XML file contains the device description framework (DDF) for the F
                     <MSFT:DependencyAllowedValue ValueType="ENUM">
                       <MSFT:Enum>
                         <MSFT:Value>true</MSFT:Value>
-                        <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                        <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                       </MSFT:Enum>
                     </MSFT:DependencyAllowedValue>
                   </MSFT:Dependency>
@@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <Replace />
               </AccessType>
               <DefaultValue>1</DefaultValue>
-              <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
+              <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -2964,7 +2964,7 @@ The following XML file contains the device description framework (DDF) for the F
                     <MSFT:DependencyAllowedValue ValueType="ENUM">
                       <MSFT:Enum>
                         <MSFT:Value>true</MSFT:Value>
-                        <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                        <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                       </MSFT:Enum>
                     </MSFT:DependencyAllowedValue>
                   </MSFT:Dependency>
@@ -3012,7 +3012,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <Replace />
               </AccessType>
               <DefaultValue>true</DefaultValue>
-              <Description>This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall.</Description>
+              <Description>This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall.</Description>
               <DFFormat>
                 <bool />
               </DFFormat>
@@ -3063,7 +3063,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>true</DefaultValue>
-                <Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
+                <Description>This value is an on/off switch for the Hyper-V Firewall enforcement.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -3096,7 +3096,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>0</DefaultValue>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
+                <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -3126,7 +3126,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3142,7 +3142,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>1</DefaultValue>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
+                <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -3172,7 +3172,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3187,7 +3187,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>true</DefaultValue>
-                <Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced.  The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <Description>This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -3217,7 +3217,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3252,7 +3252,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>true</DefaultValue>
-                <Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
+                <Description>This value is an on/off switch for the Hyper-V Firewall enforcement.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -3285,7 +3285,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>0</DefaultValue>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
+                <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -3315,7 +3315,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3331,7 +3331,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>1</DefaultValue>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
+                <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -3361,7 +3361,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3376,7 +3376,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>true</DefaultValue>
-                <Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced.  The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <Description>This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -3406,7 +3406,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3441,7 +3441,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>true</DefaultValue>
-                <Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
+                <Description>This value is an on/off switch for the Hyper-V Firewall enforcement.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -3457,11 +3457,11 @@ The following XML file contains the device description framework (DDF) for the F
                 <MSFT:AllowedValues ValueType="ENUM">
                   <MSFT:Enum>
                     <MSFT:Value>false</MSFT:Value>
-                    <MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
+                    <MSFT:ValueDescription>Disable Hyper-V Firewall</MSFT:ValueDescription>
                   </MSFT:Enum>
                   <MSFT:Enum>
                     <MSFT:Value>true</MSFT:Value>
-                    <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                    <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                   </MSFT:Enum>
                 </MSFT:AllowedValues>
               </DFProperties>
@@ -3474,7 +3474,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>0</DefaultValue>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
+                <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -3504,7 +3504,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3520,7 +3520,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>1</DefaultValue>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
+                <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -3550,7 +3550,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3565,7 +3565,7 @@ The following XML file contains the device description framework (DDF) for the F
                   <Replace />
                 </AccessType>
                 <DefaultValue>true</DefaultValue>
-                <Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced.  The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <Description>This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -3595,7 +3595,7 @@ The following XML file contains the device description framework (DDF) for the F
                       <MSFT:DependencyAllowedValue ValueType="ENUM">
                         <MSFT:Enum>
                           <MSFT:Value>true</MSFT:Value>
-                          <MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
+                          <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
                         </MSFT:Enum>
                       </MSFT:DependencyAllowedValue>
                     </MSFT:Dependency>
@@ -3818,7 +3818,10 @@ ServiceName</Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.</Description>
+              <Description>
+                    Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.
+                    When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
+                  </Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -3846,7 +3849,10 @@ ServiceName</Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description> Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.</Description>
+              <Description>
+                    Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.
+                    When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
+                  </Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -3878,6 +3884,8 @@ ServiceName</Description>
                     String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma.
                     To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code.
                     The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid.
+
+                    When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP).
                   </Description>
               <DFFormat>
                 <chr />
@@ -3892,7 +3900,7 @@ ServiceName</Description>
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.19043</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.20348</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="None">
@@ -3909,7 +3917,7 @@ ServiceName</Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. 
+              <Description>Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
 Valid tokens include:
 "*" indicates any local address. If present, this must be the only token included.
 
@@ -4172,7 +4180,7 @@ If not specified - a new rule is disabled by default.</Description>
                 <Replace />
               </AccessType>
               <DefaultValue>OUT</DefaultValue>
-              <Description>Comma separated list.  The rule is enabled based on the traffic direction as following.
+              <Description>The rule is enabled based on the traffic direction as following.
 
 IN - the rule applies to inbound traffic.
 OUT - the rule applies to outbound traffic.
@@ -4328,7 +4336,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <Get />
                 <Replace />
               </AccessType>
-              <Description> Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". </Description>
+              <Description> Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. </Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -4342,7 +4350,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.1</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="RegEx">
@@ -4380,6 +4388,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <Get />
                 <Replace />
               </AccessType>
+              <Description>Specifies the friendly name of the firewall rule.</Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -4457,7 +4466,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17).  If not specified the default is All.</Description>
+              <Description>This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -4471,7 +4480,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <MIME />
               </DFType>
               <MSFT:AllowedValues ValueType="Range">
-                <MSFT:Value>[0-255]</MSFT:Value>
+                <MSFT:Value>[0-65535]</MSFT:Value>
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
@@ -4483,7 +4492,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <Replace />
               </AccessType>
               <DefaultValue>OUT</DefaultValue>
-              <Description>Comma separated list.  The rule is enabled based on the traffic direction as following.
+              <Description>The rule is enabled based on the traffic direction as following.
 
 IN - the rule applies to inbound traffic.
 OUT - the rule applies to outbound traffic.
@@ -4577,7 +4586,7 @@ If not specified the detault is OUT.</Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. 
+              <Description>Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
 Valid tokens include:
 "*" indicates any local address. If present, this must be the only token included.
 
@@ -4695,10 +4704,14 @@ An IPv6 address range in the format of "start address - end address" with no spa
             <DFProperties>
               <AccessType>
                 <Get />
+                <Replace />
               </AccessType>
-              <Description>Specifies the action for the rule.</Description>
+              <DefaultValue>1</DefaultValue>
+              <Description>Specifies the action the rule enforces:
+0 - Block
+1 - Allow</Description>
               <DFFormat>
-                <node />
+                <int />
               </DFFormat>
               <Occurrence>
                 <One />
@@ -4707,44 +4720,19 @@ An IPv6 address range in the format of "start address - end address" with no spa
                 <Dynamic />
               </Scope>
               <DFType>
-                <DDFName />
+                <MIME />
               </DFType>
+              <MSFT:AllowedValues ValueType="ENUM">
+                <MSFT:Enum>
+                  <MSFT:Value>0</MSFT:Value>
+                  <MSFT:ValueDescription>Block</MSFT:ValueDescription>
+                </MSFT:Enum>
+                <MSFT:Enum>
+                  <MSFT:Value>1</MSFT:Value>
+                  <MSFT:ValueDescription>Allow</MSFT:ValueDescription>
+                </MSFT:Enum>
+              </MSFT:AllowedValues>
             </DFProperties>
-            <Node>
-              <NodeName>Type</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                  <Replace />
-                </AccessType>
-                <DefaultValue>1</DefaultValue>
-                <Description>Specifies the action the rule enforces:
-0 - Block
-1 - Allow</Description>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME />
-                </DFType>
-                <MSFT:AllowedValues ValueType="ENUM">
-                  <MSFT:Enum>
-                    <MSFT:Value>0</MSFT:Value>
-                    <MSFT:ValueDescription>Block</MSFT:ValueDescription>
-                  </MSFT:Enum>
-                  <MSFT:Enum>
-                    <MSFT:Value>1</MSFT:Value>
-                    <MSFT:ValueDescription>Allow</MSFT:ValueDescription>
-                  </MSFT:Enum>
-                </MSFT:AllowedValues>
-              </DFProperties>
-            </Node>
           </Node>
           <Node>
             <NodeName>Enabled</NodeName>
@@ -4785,7 +4773,7 @@ If not specified - a new rule is disabled by default.</Description>
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</Description>
+              <Description>Provides information about the specific version of the rule in deployment for monitoring purposes.</Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -4840,62 +4828,8 @@ If not specified - a new rule is disabled by default.</Description>
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
-        </Node>
-      </Node>
-      <Node>
-        <NodeName>HyperVLoopbackRules</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Get />
-          </AccessType>
-          <Description>A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules.</Description>
-          <DFFormat>
-            <node />
-          </DFFormat>
-          <Occurrence>
-            <ZeroOrOne />
-          </Occurrence>
-          <Scope>
-            <Permanent />
-          </Scope>
-          <DFType>
-            <DDFName />
-          </DFType>
-        </DFProperties>
-        <Node>
-          <NodeName>
-          </NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>Unique alpha numeric identifier for the rule.  The rule name must not include a forward slash (/).</Description>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrMore />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFTitle>RuleName</DFTitle>
-            <DFType>
-              <DDFName />
-            </DFType>
-            <MSFT:DynamicNodeNaming>
-              <MSFT:ServerGeneratedUniqueIdentifier />
-            </MSFT:DynamicNodeNaming>
-            <MSFT:AllowedValues ValueType="RegEx">
-              <MSFT:Value>^[^|/]*$</MSFT:Value>
-            </MSFT:AllowedValues>
-            <MSFT:AtomicRequired />
-          </DFProperties>
           <Node>
-            <NodeName>SourceVMCreatorId</NodeName>
+            <NodeName>Name</NodeName>
             <DFProperties>
               <AccessType>
                 <Add />
@@ -4903,12 +4837,12 @@ If not specified - a new rule is disabled by default.</Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All.</Description>
+              <Description>Specifies the friendly name of the Hyper-V Firewall rule.</Description>
               <DFFormat>
                 <chr />
               </DFFormat>
               <Occurrence>
-                <ZeroOrOne />
+                <One />
               </Occurrence>
               <Scope>
                 <Dynamic />
@@ -4916,96 +4850,6 @@ If not specified - a new rule is disabled by default.</Description>
               <DFType>
                 <MIME />
               </DFType>
-              <MSFT:AllowedValues ValueType="RegEx">
-                <MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
-              </MSFT:AllowedValues>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>DestinationVMCreatorId</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Add />
-                <Delete />
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All.</Description>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME />
-              </DFType>
-              <MSFT:AllowedValues ValueType="RegEx">
-                <MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
-              </MSFT:AllowedValues>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>PortRanges</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Add />
-                <Delete />
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.</Description>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME />
-              </DFType>
-              <MSFT:AllowedValues ValueType="RegEx">
-                <MSFT:Value>^[0-9,-]+$</MSFT:Value>
-                <MSFT:List Delimiter="," />
-              </MSFT:AllowedValues>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>Enabled</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.</Description>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME />
-              </DFType>
-              <MSFT:AllowedValues ValueType="ENUM">
-                <MSFT:Enum>
-                  <MSFT:Value>0</MSFT:Value>
-                  <MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
-                </MSFT:Enum>
-                <MSFT:Enum>
-                  <MSFT:Value>1</MSFT:Value>
-                  <MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
-                </MSFT:Enum>
-              </MSFT:AllowedValues>
             </DFProperties>
           </Node>
         </Node>

windows/client-management/mdm/passportforwork-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 04/26/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -445,7 +445,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of digits in PIN. |
-| 1 | Requires the use of at least one digit in PIN. |
+| 1 | Requires the use of at least one digits in PIN. |
 | 2 | Does not allow the use of digits in PIN. |
 <!-- Device-{TenantId}-Policies-PINComplexity-Digits-AllowedValues-End -->
 
@@ -583,7 +583,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of lowercase letters in PIN. |
-| 1 | Requires the use of at least one lowercase letter in PIN. |
+| 1 | Requires the use of at least one lowercase letters in PIN. |
 | 2 | Does not allow the use of lowercase letters in PIN. |
 <!-- Device-{TenantId}-Policies-PINComplexity-LowercaseLetters-AllowedValues-End -->
 
@@ -706,7 +706,7 @@ Minimum PIN length configures the minimum number of characters required for the
 
 <!-- Device-{TenantId}-Policies-PINComplexity-SpecialCharacters-Description-Begin -->
 <!-- Description-Source-DDF -->
-Use this policy setting to configure the use of special character in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ .
+Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ .
 
 A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
 
@@ -791,7 +791,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of uppercase letters in PIN. |
-| 1 | Requires the use of at least one uppercase letter in PIN. |
+| 1 | Requires the use of at least one uppercase letters in PIN. |
 | 2 | Does not allow the use of uppercase letters in PIN. |
 <!-- Device-{TenantId}-Policies-PINComplexity-UppercaseLetters-AllowedValues-End -->
 
@@ -2027,7 +2027,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of digits in PIN. |
-| 1 | Requires the use of at least one digit in PIN. |
+| 1 | Requires the use of at least one digits in PIN. |
 | 2 | Does not allow the use of digits in PIN. |
 <!-- User-{TenantId}-Policies-PINComplexity-Digits-AllowedValues-End -->
 
@@ -2165,7 +2165,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of lowercase letters in PIN. |
-| 1 | Requires the use of at least one lowercase letter in PIN. |
+| 1 | Requires the use of at least one lowercase letters in PIN. |
 | 2 | Does not allow the use of lowercase letters in PIN. |
 <!-- User-{TenantId}-Policies-PINComplexity-LowercaseLetters-AllowedValues-End -->
 
@@ -2317,7 +2317,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of special characters in PIN. |
-| 1 | Requires the use of at least one special character in PIN. |
+| 1 | Requires the use of at least one special characters in PIN. |
 | 2 | Does not allow the use of special characters in PIN. |
 <!-- User-{TenantId}-Policies-PINComplexity-SpecialCharacters-AllowedValues-End -->
 
@@ -2373,7 +2373,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Allows the use of uppercase letters in PIN. |
-| 1 | Requires the use of at least one uppercase letter in PIN. |
+| 1 | Requires the use of at least one uppercase letters in PIN. |
 | 2 | Does not allow the use of uppercase letters in PIN. |
 <!-- User-{TenantId}-Policies-PINComplexity-UppercaseLetters-AllowedValues-End -->
 

windows/client-management/mdm/personaldataencryption-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -83,128 +83,6 @@ The following XML file contains the device description framework (DDF) for the P
         </MSFT:AllowedValues>
       </DFProperties>
     </Node>
-    <Node>
-      <NodeName>ProtectFolders</NodeName>
-      <DFProperties>
-        <AccessType>
-          <Get />
-        </AccessType>
-        <DFFormat>
-          <node />
-        </DFFormat>
-        <Occurrence>
-          <One />
-        </Occurrence>
-        <Scope>
-          <Permanent />
-        </Scope>
-        <DFType>
-          <DDFName />
-        </DFType>
-      </DFProperties>
-      <Node>
-        <NodeName>ProtectDocuments</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Add />
-            <Delete />
-            <Get />
-            <Replace />
-          </AccessType>
-          <Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
-          <DFFormat>
-            <int />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Dynamic />
-          </Scope>
-          <DFType>
-            <MIME />
-          </DFType>
-          <MSFT:AllowedValues ValueType="ENUM">
-            <MSFT:Enum>
-              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
-            </MSFT:Enum>
-            <MSFT:Enum>
-              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
-            </MSFT:Enum>
-          </MSFT:AllowedValues>
-        </DFProperties>
-      </Node>
-      <Node>
-        <NodeName>ProtectDesktop</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Add />
-            <Delete />
-            <Get />
-            <Replace />
-          </AccessType>
-          <Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
-          <DFFormat>
-            <int />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Dynamic />
-          </Scope>
-          <DFType>
-            <MIME />
-          </DFType>
-          <MSFT:AllowedValues ValueType="ENUM">
-            <MSFT:Enum>
-              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
-            </MSFT:Enum>
-            <MSFT:Enum>
-              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
-            </MSFT:Enum>
-          </MSFT:AllowedValues>
-        </DFProperties>
-      </Node>
-      <Node>
-        <NodeName>ProtectPictures</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Add />
-            <Delete />
-            <Get />
-            <Replace />
-          </AccessType>
-          <Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
-          <DFFormat>
-            <int />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Dynamic />
-          </Scope>
-          <DFType>
-            <MIME />
-          </DFType>
-          <MSFT:AllowedValues ValueType="ENUM">
-            <MSFT:Enum>
-              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
-            </MSFT:Enum>
-            <MSFT:Enum>
-              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
-            </MSFT:Enum>
-          </MSFT:AllowedValues>
-        </DFProperties>
-      </Node>
-    </Node>
     <Node>
       <NodeName>Status</NodeName>
       <DFProperties>
@@ -245,66 +123,6 @@ The following XML file contains the device description framework (DDF) for the P
           </DFType>
         </DFProperties>
       </Node>
-      <Node>
-        <NodeName>FolderProtectionStatus</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Get />
-          </AccessType>
-          <Description>This node reports folder protection status for a user. </Description>
-          <DFFormat>
-            <int />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Permanent />
-          </Scope>
-          <DFType>
-            <MIME />
-          </DFType>
-          <MSFT:AllowedValues ValueType="ENUM">
-            <MSFT:Enum>
-              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
-            </MSFT:Enum>
-            <MSFT:Enum>
-              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
-            </MSFT:Enum>
-            <MSFT:Enum>
-              <MSFT:Value>2</MSFT:Value>
-              <MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
-            </MSFT:Enum>
-            <MSFT:Enum>
-              <MSFT:Value>3</MSFT:Value>
-              <MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
-            </MSFT:Enum>
-          </MSFT:AllowedValues>
-        </DFProperties>
-      </Node>
-      <Node>
-        <NodeName>FoldersProtected</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Get />
-          </AccessType>
-          <Description>This node reports all folders (full path to each folder) that have been protected.</Description>
-          <DFFormat>
-            <chr />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Permanent />
-          </Scope>
-          <DFType>
-            <MIME />
-          </DFType>
-        </DFProperties>
-      </Node>
     </Node>
   </Node>
 </MgmtTree>

windows/client-management/mdm/policies-in-policy-csp-admx-backed.md

@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage

windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md

@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -340,9 +340,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [ClearTextPassword](policy-csp-devicelock.md)
 - [PasswordComplexity](policy-csp-devicelock.md)
 - [PasswordHistorySize](policy-csp-devicelock.md)
-- [AccountLockoutThreshold](policy-csp-devicelock.md)
-- [AccountLockoutDuration](policy-csp-devicelock.md)
-- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md)
 - [AllowAdministratorLockout](policy-csp-devicelock.md)
 
 ## Display
@@ -689,7 +686,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [StartLayout](policy-csp-start.md)
 - [ConfigureStartPins](policy-csp-start.md)
 - [HideRecommendedSection](policy-csp-start.md)
-- [HideRecoPersonalizedSites](policy-csp-start.md)
+- [HideRecommendedPersonalizedSites](policy-csp-start.md)
 - [HideTaskViewButton](policy-csp-start.md)
 - [DisableControlCenter](policy-csp-start.md)
 - [ForceStartSize](policy-csp-start.md)
@@ -700,7 +697,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [StartLayout](policy-csp-start.md)
 - [ConfigureStartPins](policy-csp-start.md)
 - [HideRecommendedSection](policy-csp-start.md)
-- [HideRecoPersonalizedSites](policy-csp-start.md)
+- [HideRecommendedPersonalizedSites](policy-csp-start.md)
 - [SimplifyQuickSettings](policy-csp-start.md)
 - [DisableEditingQuickSettings](policy-csp-start.md)
 - [HideTaskViewButton](policy-csp-start.md)
@@ -884,7 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [DenyLogOnAsBatchJob](policy-csp-userrights.md)
 - [LogOnAsService](policy-csp-userrights.md)
 - [IncreaseProcessWorkingSet](policy-csp-userrights.md)
-- [DenyServiceLogonRight](policy-csp-userrights.md)
+- [DenyLogOnAsService](policy-csp-userrights.md)
 
 ## VirtualizationBasedTechnology
 
@@ -897,7 +894,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [NotifyMalicious](policy-csp-webthreatdefense.md)
 - [NotifyPasswordReuse](policy-csp-webthreatdefense.md)
 - [NotifyUnsafeApp](policy-csp-webthreatdefense.md)
-- [CaptureThreatWindow](policy-csp-webthreatdefense.md)
+- [AutomaticDataCollection](policy-csp-webthreatdefense.md)
 
 ## Wifi
 

windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md

@@ -24,14 +24,15 @@ ms.date: 02/03/2023
 - [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname)
 - [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode)
 - [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename)
-- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill)
-- [Browser/AllowCookies](policy-csp-browser.md#allowcookies)
-- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack)
-- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager)
-- [Browser/AllowPopups](policy-csp-browser.md#allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
+- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) <sup>13</sup>
+- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) <sup>13</sup>
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) <sup>13</sup>
+- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) <sup>13</sup>
+- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) <sup>13</sup>
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) <sup>13</sup>
+- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) <sup>13</sup>
 - [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth)
+- [Connectivity/AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices) <sup>12</sup>
 - [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection)
 - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) <sup>10</sup>
 - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) <sup>10</sup>
@@ -66,7 +67,6 @@ ms.date: 02/03/2023
 - [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) <sup>12</sup>
 - [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) <sup>12</sup>
 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) <sup>9</sup>
-- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) <sup>9</sup>
 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) <sup>9</sup>
 - [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) <sup>12</sup>
@@ -74,14 +74,13 @@ ms.date: 02/03/2023
 - [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) <sup>12</sup>
 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) <sup>10</sup>
 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) <sup>9</sup>
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) <sup>9</sup>
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) <sup>9</sup>
-- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) <sup>9</sup>
-- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) <sup>9</sup>
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) <sup>9</sup>
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) <sup>9</sup>
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) <sup>9, 14</sup>
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) <sup>9, 14</sup>
+- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) <sup>9, 14</sup>
+- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) <sup>9, 14</sup>
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) <sup>9, 14</sup>
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) <sup>9, 14</sup>
 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization)
-- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) <sup>Insider</sup>
 - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo)
 - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps)
 - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps)
@@ -99,6 +98,9 @@ ms.date: 02/03/2023
 - [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) <sup>8</sup>
 - [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) <sup>8</sup>
 - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation)
+- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](/windows/client-management/mdm/policy-csp-privacy) <sup>12</sup>
+- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy) <sup>12</sup>
+- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](/windows/client-management/mdm/policy-csp-privacy) <sup>12</sup>
 - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone)
 - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) <sup>8</sup>
 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) <sup>8</sup>
@@ -115,10 +117,11 @@ ms.date: 02/03/2023
 - [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#configstoragesensecloudcontentdehydrationthreshold) <sup>12</sup>
 - [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) <sup>12</sup>
 - [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) <sup>12</sup>
-- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline)
 - [System/AllowLocation](policy-csp-system.md#allowlocation)
 - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
 - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
+- [System/ConfigureTelemetryOptInSettingsUx](/windows/client-management/mdm/policy-csp-system) <sup>12</sup>
+- [System/DisableDeviceDelete](/windows/client-management/mdm/policy-csp-system) <sup>12</sup>
 - [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) <sup>9</sup>
 - [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) <sup>9</sup>
 - [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) <sup>9</sup>
@@ -160,8 +163,15 @@ Footnotes:
 - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
 - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
 - 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2)
+- 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge)
+- 14 - Refer to [New Power Policies for Hololens 2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2)
 - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider).
 
 ## Related topics
 
 [Policy CSP](policy-configuration-service-provider.md)
+
+[Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support)
+
+
+

windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md

@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/28/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -257,6 +257,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
 
 ## Start
 
+- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
 - [StartLayout](policy-csp-start.md#startlayout)
 
 ## System

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 02/28/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage

windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md

@@ -115,6 +115,8 @@ Enabling or disabling this policy may lead to unexpected or unsupported behavior
 
 <!-- DisableAntiSpywareDefender-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- DisableAntiSpywareDefender-Editable-End -->
 
 <!-- DisableAntiSpywareDefender-DFProperties-Begin -->
@@ -244,6 +246,8 @@ Real-time Protection -> Do not enable the "Turn off real-time protection" policy
 
 <!-- DisableBlockAtFirstSeen-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- DisableBlockAtFirstSeen-Editable-End -->
 
 <!-- DisableBlockAtFirstSeen-DFProperties-Begin -->
@@ -366,6 +370,8 @@ Real-time protection consists of always-on scanning with file and process behavi
 
 <!-- DisableRealtimeMonitoring-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- DisableRealtimeMonitoring-Editable-End -->
 
 <!-- DisableRealtimeMonitoring-DFProperties-Begin -->
@@ -426,6 +432,8 @@ This policy setting allows you to configure whether Microsoft Defender Antivirus
 
 <!-- DisableRoutinelyTakingAction-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- DisableRoutinelyTakingAction-Editable-End -->
 
 <!-- DisableRoutinelyTakingAction-DFProperties-Begin -->
@@ -482,6 +490,8 @@ This policy setting allows you specify a list of file types that should be exclu
 
 <!-- Exclusions_Extensions-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> To prevent unauthorized changes to exclusions, apply tamper protection. Tamper protection for exclusions only works when [certain conditions][TAMPER-2] are met.
 <!-- Exclusions_Extensions-Editable-End -->
 
 <!-- Exclusions_Extensions-DFProperties-Begin -->
@@ -538,6 +548,8 @@ This policy setting allows you to disable scheduled and real-time scanning for f
 
 <!-- Exclusions_Paths-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> To prevent unauthorized changes to exclusions, apply tamper protection. Tamper protection for exclusions only works when [certain conditions][TAMPER-2] are met.
 <!-- Exclusions_Paths-Editable-End -->
 
 <!-- Exclusions_Paths-DFProperties-Begin -->
@@ -594,6 +606,8 @@ This policy setting allows you to disable real-time scanning for any file opened
 
 <!-- Exclusions_Processes-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> To prevent unauthorized changes to exclusions, apply tamper protection. Tamper protection for exclusions only works when [certain conditions][TAMPER-2] are met.
 <!-- Exclusions_Processes-Editable-End -->
 
 <!-- Exclusions_Processes-DFProperties-Begin -->
@@ -1577,6 +1591,8 @@ This policy setting allows you to configure behavior monitoring.
 
 <!-- RealtimeProtection_DisableBehaviorMonitoring-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- RealtimeProtection_DisableBehaviorMonitoring-Editable-End -->
 
 <!-- RealtimeProtection_DisableBehaviorMonitoring-DFProperties-Begin -->
@@ -1637,6 +1653,8 @@ This policy setting allows you to configure scanning for all downloaded files an
 
 <!-- RealtimeProtection_DisableIOAVProtection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- RealtimeProtection_DisableIOAVProtection-Editable-End -->
 
 <!-- RealtimeProtection_DisableIOAVProtection-DFProperties-Begin -->
@@ -1697,6 +1715,8 @@ This policy setting allows you to configure monitoring for file and program acti
 
 <!-- RealtimeProtection_DisableOnAccessProtection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- RealtimeProtection_DisableOnAccessProtection-Editable-End -->
 
 <!-- RealtimeProtection_DisableOnAccessProtection-DFProperties-Begin -->
@@ -1817,6 +1837,8 @@ This policy setting allows you to configure process scanning when real-time prot
 
 <!-- RealtimeProtection_DisableScanOnRealtimeEnable-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- RealtimeProtection_DisableScanOnRealtimeEnable-Editable-End -->
 
 <!-- RealtimeProtection_DisableScanOnRealtimeEnable-DFProperties-Begin -->
@@ -2540,6 +2562,8 @@ Use this policy setting to specify if you want Microsoft Defender Antivirus enha
 
 <!-- Reporting_DisableEnhancedNotifications-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- Reporting_DisableEnhancedNotifications-Editable-End -->
 
 <!-- Reporting_DisableEnhancedNotifications-DFProperties-Begin -->
@@ -3069,6 +3093,8 @@ This policy setting allows you to configure scans for malicious software and unw
 
 <!-- Scan_DisableArchiveScanning-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- Scan_DisableArchiveScanning-Editable-End -->
 
 <!-- Scan_DisableArchiveScanning-DFProperties-Begin -->
@@ -5551,6 +5577,8 @@ Use this policy setting to specify if you want Microsoft Defender Antivirus noti
 
 <!-- UX_Configuration_Notification_Suppress-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- UX_Configuration_Notification_Suppress-Editable-End -->
 
 <!-- UX_Configuration_Notification_Suppress-DFProperties-Begin -->
@@ -5609,6 +5637,8 @@ If you enable this setting AM UI won't show reboot notifications.
 
 <!-- UX_Configuration_SuppressRebootNotification-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled.
 <!-- UX_Configuration_SuppressRebootNotification-Editable-End -->
 
 <!-- UX_Configuration_SuppressRebootNotification-DFProperties-Begin -->
@@ -5702,6 +5732,9 @@ If you enable this setting AM UI won't be available to users.
 
 <!-- ADMX_MicrosoftDefenderAntivirus-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Links -->
+[TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+[TAMPER-2]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-about-exclusions
 <!-- ADMX_MicrosoftDefenderAntivirus-CspMoreInfo-End -->
 
 <!-- ADMX_MicrosoftDefenderAntivirus-End -->

windows/client-management/mdm/policy-csp-admx-sharedfolders.md

@@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 05/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -31,7 +31,7 @@ ms.topic: reference
 <!-- PublishDfsRoots-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
 <!-- PublishDfsRoots-Applicability-End -->
 
 <!-- PublishDfsRoots-OmaUri-Begin -->

windows/client-management/mdm/policy-csp-audit.md

@@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 04/14/2023
+ms.date: 04/26/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -843,7 +843,7 @@ Volume: Low.
 
 <!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697).
+This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697).
 <!-- AccountLogonLogoff_AuditSpecialLogon-Description-End -->
 
 <!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->