From 4b305aed198892b27a12d2bba52a5e678980d150 Mon Sep 17 00:00:00 2001
From: Andrea Allievi <aall86@gmail.com>
Date: Tue, 17 Sep 2024 08:58:12 -0700
Subject: [PATCH 01/13]  Add a brief explanation of the VBS Mandatory mode

Update the public documentation to include VBS Mandatory mode
---
 ...rtualization-based-protection-of-code-integrity.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a5cd24d3c9..a475864ad7 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -61,7 +61,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
 
 ### Use registry keys to enable memory integrity
 
-Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
+Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
 
 > [!IMPORTANT]
 >
@@ -95,7 +95,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-**To enable VBS with Secure Boot and DMA (value 3)**
+**To enable VBS with Secure Boot and DMA protection (value 3)**
 
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
@@ -131,6 +131,13 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
 ```
 
+**To enable VBS (and memory integrity) in mandatory mode**
+
+```console
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
+```
+The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console
 reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f

From f4c1c7bd94b69a890bcc52fafd792fe5c073a43f Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Tue, 17 Sep 2024 09:25:30 -0700
Subject: [PATCH 02/13] Pulling for Resolve policy conflicts revamp

---
 windows/deployment/windows-autopatch/TOC.yml             | 9 ++-------
 .../overview/windows-autopatch-overview.md               | 2 +-
 .../whats-new/windows-autopatch-whats-new-2024.md        | 1 -
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 77dee52f84..30052f5291 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -118,13 +118,8 @@
                   href: monitor/windows-autopatch-reliability-report.md
             - name: Windows feature and quality update device alerts
               href: monitor/windows-autopatch-device-alerts.md
-        - name: Policy health
-          href:
-          items:
-            - name: Policy health and remediation
-              href: monitor/windows-autopatch-policy-health-and-remediation.md
-            - name: Resolve policy conflicts
-              href: monitor/windows-autopatch-resolve-policy-conflicts.md
+        - name: Policy health and remediation
+          href: monitor/windows-autopatch-policy-health-and-remediation.md
         - name: Maintain the Windows Autopatch environment
           href: monitor/windows-autopatch-maintain-environment.md
     - name: References
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 895f352119..56b1ee39cf 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -63,7 +63,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
 | [Microsoft 365 Apps for enterprise updates](../manage/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
 | [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
 | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
-| Policy health |<ul><li>[Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md)</li><ul><li>When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service.</li></ul></ul><ul><li>[Resolve policy conflicts](../monitor/windows-autopatch-resolve-policy-conflicts.md)</li><ul><li>o	When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. With the Resolve policy conflicts feature, you can review the policies and their settings and manually resolve these conflicts.</li></ul><ul> |
+| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
 | Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
 | [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
 
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index b75a492001..8f27de3c27 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -36,7 +36,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 | Article | Description |
 | ----- | ----- |
 | [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the [Reliability report](../operate/windows-autopatch-reliability-report.md) feature |
-| [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) | Added the [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) feature |
 
 ## February 2024
 

From 3ff03435844d867cb61088bd1dbd97b0458c6580 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 17 Sep 2024 11:23:33 -0600
Subject: [PATCH 03/13] Update
 windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

---
 ...ble-virtualization-based-protection-of-code-integrity.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a475864ad7..b9a587d0b8 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -136,7 +136,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
 ```
-The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+
+The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
+
+> [!IMPORTANT]
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
 
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console

From 3703e1581a3cfdc6253569a562531483da64a34a Mon Sep 17 00:00:00 2001
From: Ruriko Hatashima <77307447+ruhatash@users.noreply.github.com>
Date: Wed, 18 Sep 2024 09:06:30 +0900
Subject: [PATCH 04/13] Update windows-enterprise-e3-overview.md

Delete Device Guard information as this feature can be used on Pro edition.
---
 .../windows-enterprise-e3-overview.md         | 23 -------------------
 1 file changed, 23 deletions(-)

diff --git a/windows/deployment/windows-enterprise-e3-overview.md b/windows/deployment/windows-enterprise-e3-overview.md
index f4532464b5..5d58a929ec 100644
--- a/windows/deployment/windows-enterprise-e3-overview.md
+++ b/windows/deployment/windows-enterprise-e3-overview.md
@@ -66,7 +66,6 @@ Windows Enterprise edition has many features that are unavailable in Windows Pro
 |Feature|Description|
 |--- |--- |
 |Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/microsoft-desktop-optimization-pack/app-v/appv-for-windows).|
 |User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).|
@@ -106,28 +105,6 @@ For more information about implementing Credential Guard, see the following reso
 - [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
 - [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
 
-### Device Guard
-
-Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:
-
-1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.
-
-2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.
-
-3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.
-
-4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.
-
-5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.
-
-6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.
-
-7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
-
-For more information about implementing Device Guard, see:
-
-- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
-- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
 
 ### AppLocker management
 

From 5731ebc30f48c9d479d229676941511abb1a20ff Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 19 Sep 2024 13:44:40 -0600
Subject: [PATCH 05/13] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index b9a587d0b8..d8f4c55cfc 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -140,7 +140,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t RE
 The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
 
 > [!IMPORTANT]
-> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
 
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console

From 60c822f01b3accf63afe730e23c71ec9624f2e5b Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 19 Sep 2024 14:23:44 -0600
Subject: [PATCH 06/13] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index d8f4c55cfc..b686fb205c 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -137,7 +137,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
 ```
 
-The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
+The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
 
 > [!IMPORTANT]
 > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.

From e7052ab8db0266b8612a9f62e73d53f905110ec1 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Mon, 23 Sep 2024 16:33:15 -0700
Subject: [PATCH 07/13] Update privacy.microsoft.com URLs

---
 ...ndows-diagnostic-data-in-your-organization.md |  6 +++---
 ...ng-system-components-to-microsoft-services.md |  2 +-
 .../privacy/windows-privacy-compliance-guide.md  | 16 ++++++++--------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 8747c838f4..71ccd2f1d9 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -137,11 +137,11 @@ This approach is the most complex because it requires the following configuratio
 
 ### Data access
 
-The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. 
+The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://www.microsoft.com/privacy/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. 
 
 ### Retention
 
-Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
+Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement).
 
 ## Diagnostic data settings
 
@@ -316,7 +316,7 @@ The Windows diagnostic data processor configuration enables you to be the contro
 - The device must be joined to Azure Active Directory (can be a hybrid Azure AD join).
 
 > [!NOTE]
-> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
 
 For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. For release information, see [Windows 10 Enterprise and Education](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11 Enterprise and Education](/lifecycle/products/windows-11-enterprise-and-education) on the Microsoft Lifecycle Policy site.
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index ce375a294b..2a1eec8490 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1616,7 +1616,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
 ### <a href="" id="bkmk-wifisense"></a>23. Wi-Fi Sense
 
 > [!IMPORTANT]
-> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
+> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://support.microsoft.com/windows/bcec4e8b-00e7-4930-d3ff-5349a3e70037) for more details.
 
 Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
 
diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md
index c6ccfd9bec..a9e9d5b36d 100644
--- a/windows/privacy/windows-privacy-compliance-guide.md
+++ b/windows/privacy/windows-privacy-compliance-guide.md
@@ -44,11 +44,11 @@ The following table provides an overview of the Windows 10 and Windows 11 privac
 
 | Feature/Setting | Description | Supporting content | Privacy statement |
 | --- | --- | --- | --- |
-| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
-| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
-| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
+| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
+| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) |
+| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) |
+| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
 | Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
 
 
@@ -201,7 +201,7 @@ If a user signs in to a Windows experience or app on their device with their Mic
 
 Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders.
 
-Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
+Microsoft’s [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
 
 ## 5. Related Windows product considerations
 
@@ -243,7 +243,7 @@ Microsoft Intune is a cloud-based endpoint management solution. It manages user
 * [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview)
 * [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
 * [Windows IT Pro Docs](/windows/#pivot=it-pro)
-* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+* [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement)
 * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
+* [Privacy at Microsoft](https://www.microsoft.com/privacy)
 * [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

From fc83be1c9bab4ec1bcc67377f9505fd50646e25d Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Mon, 23 Sep 2024 16:44:26 -0700
Subject: [PATCH 08/13] Minor wording change

---
 windows/privacy/windows-privacy-compliance-guide.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md
index a9e9d5b36d..753c45f0c8 100644
--- a/windows/privacy/windows-privacy-compliance-guide.md
+++ b/windows/privacy/windows-privacy-compliance-guide.md
@@ -201,7 +201,7 @@ If a user signs in to a Windows experience or app on their device with their Mic
 
 Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders.
 
-Microsoft’s [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
+The [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
 
 ## 5. Related Windows product considerations
 

From 5b1ece53ad037ab10eac0dcef5cacad4abde9d65 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 24 Sep 2024 08:57:15 -0400
Subject: [PATCH 09/13] update to include new disk encryption policy in Intune.

---
 .../personal-data-encryption/configure.md       | 17 ++++++++++++++++-
 .../personal-data-encryption/faq.yml            |  2 +-
 .../personal-data-encryption/index.md           |  2 +-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 02b20cfc2d..0f5a5561b9 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 09/24/2024
 ---
 
 # PDE settings and configuration
@@ -36,6 +36,21 @@ The following table lists the recommended settings to improve PDE's security.
 
 ## Configure PDE with Microsoft Intune
 
+If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+
+### Disk encryption policy
+
+To configure devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+
+- **Platform** > **Windows**
+- **Profile** > **Personal Data Encryption**
+
+Provide a name, and select **Next**. In the **Configuration settings** page, select **Enable Personal Data Encryption** and configure the settings as needed.
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
+
+### Settings catalog policy
+
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index cc6278f590..8aeed21090 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 05/06/2024
+  ms.date: 09/24/2024
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index f0f3e1f99f..7e28595993 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,7 +2,7 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 09/24/2024
 ---
 
 # Personal Data Encryption (PDE)

From c156e1cb950ef34f865c939f045ce22a88bfa23a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 24 Sep 2024 09:22:20 -0400
Subject: [PATCH 10/13] added disablement steps

---
 .../personal-data-encryption/configure.md             | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 0f5a5561b9..34c2ed5f4a 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -95,6 +95,17 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 
 Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
 
+### Disable PDE with a disk encryption policy
+
+To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+
+- **Platform** > **Windows**
+- **Profile** > **Personal Data Encryption**
+
+Provide a name, and select **Next**. In the **Configuration settings** page, select **Disable Personal Data Encryption**.
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
+
 ### Disable PDE with a settings catalog policy in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]

From 867d241dd4558f90622f5423dfd941112cd1be66 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Tue, 24 Sep 2024 13:25:10 -0700
Subject: [PATCH 11/13] Updated required endpoints

---
 ...-autopatch-required-graph-api-endpoints.md | 28 +++++++++++++++++++
 ...d-firmware-update-programmatic-controls.md |  7 ++++-
 ...ws-feature-update-programmatic-controls.md |  7 ++++-
 ...ws-quality-update-programmatic-controls.md |  7 ++++-
 .../windows-autopatch-configure-network.md    |  4 +--
 5 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md

diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md
new file mode 100644
index 0000000000..ec3fc85cbe
--- /dev/null
+++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md
@@ -0,0 +1,28 @@
+---
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: include
+ms.date: 09/24/2024
+ms.localizationpriority: medium
+---
+<!--This file is shared by windows-autopatch-driver-and-firmware-programmatic-controls.md, windows-autopatch-windows-quality-update-programmatic-controls.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
+
+You must have access to the following endpoints:
+
+[Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update)
+
+- *.prod.do.dsp.mp.microsoft.com
+- *.windowsupdate.com
+- *.dl.delivery.mp.microsoft.com
+- *.update.microsoft.com
+- *.delivery.mp.microsoft.com
+- tsfe.trafficshaping.dsp.mp.microsoft.com
+
+Graph API endpoints:
+
+- devicelistenerprod.microsoft.com
+- login.windows.net
+- payloadprod*.blob.core.windows.net
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
index 9557d457c6..a9fcc86c26 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ---
 
 # Programmatic controls for drivers and firmware updates
@@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-fix-is
 <!--Using include for Graph Explorer permissions-->
 [!INCLUDE [Windows Autopath permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
 
+### Required endpoints
+
+<!--Using include for required Graph API endpoints-->
+[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
+
 ## Open Graph Explorer
 
 <!--Using include for Graph Explorer sign in-->
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
index db264d3c4f..d6c5b41cb3 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ---
 
 # Programmatic controls for Windows feature updates
@@ -48,6 +48,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
 <!--Using include for Graph Explorer permissions-->
 [!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
 
+### Required endpoints
+
+<!--Using include for required Graph API endpoints-->
+[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
+
 ## Open Graph Explorer
 
 <!--Using include for Graph Explorer sign in-->
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
index 87af926fae..77acf64924 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ---
 
 # Programmatic controls for expedited Windows quality updates
@@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
 <!--Using include for Graph Explorer permissions-->
 [!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
 
+### Required endpoints
+
+<!--Using include for required Graph API endpoints-->
+[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
+
 ## Open Graph Explorer
 
 <!--Using include for Graph Explorer sign in-->
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 77fb2d0c6b..d9470148fd 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -1,7 +1,7 @@
 ---
 title: Configure your network
 description: This article details the network configurations needed for Windows Autopatch
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
 
 | Microsoft service | URLs required on allowlist |
 | ----- | ----- |
-| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li></ul>|
+| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>payloadprod*.blob.core.windows.net</li></ul>|
 
 ## Delivery Optimization
 

From de733e228824c29268cd9e31021fa2ad4688fd86 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Tue, 24 Sep 2024 13:30:35 -0700
Subject: [PATCH 12/13] Fixed broken link

---
 .../prepare/windows-autopatch-configure-network.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index d9470148fd..6666b1fe35 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -33,7 +33,7 @@ There are URLs from several Microsoft products that must be in the allowed list
 | Microsoft service | URLs required on Allowlist |
 | ----- | ----- |
 | Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
-| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
+| Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
 | Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |
 
 #### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints)

From 6cd8b7fb9331848b2276a068795eb56531334d4e Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <v-aditisr@microsoft.com>
Date: Wed, 25 Sep 2024 13:30:35 +0530
Subject: [PATCH 13/13] Acrolinx fixes

---
 .../configure-windows-diagnostic-data-in-your-organization.md   | 2 +-
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 windows/privacy/windows-privacy-compliance-guide.md             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 71ccd2f1d9..6fa1d2a9e2 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -190,7 +190,7 @@ Required diagnostic data includes:
    - Operating system attributes, such as Windows edition and virtualization state
    - Storage attributes, such as number of drives, type, and size
 
-- Quality metrics that helps provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
+- Quality metrics that help provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
 
 - Quality-related information that helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and app state change details, such as how much processor time and memory were used, and the total uptime for an app.
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2a1eec8490..bfb651939e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1737,7 +1737,7 @@ In Group Policy, configure:
 
 ### <a href="" id="bkmk-spotlight"></a>25. Personalized Experiences
 
-Personalized experiences provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy.
+Personalized experiences provide features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy.
 
 > [!NOTE]
 > This excludes how individual experiences (e.g., Windows Spotlight) can be controlled by users in Windows Settings.
diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md
index 753c45f0c8..fb9459ba79 100644
--- a/windows/privacy/windows-privacy-compliance-guide.md
+++ b/windows/privacy/windows-privacy-compliance-guide.md
@@ -35,7 +35,7 @@ Transparency is an important part of the data collection process in Windows. Com
 
 ### 1.1 Device set up experience and support for layered transparency
 
-When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
+When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the setup experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
 
 The following table provides an overview of the Windows 10 and Windows 11 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.