Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20220920-MAXADO-6286399-federated-signin

2025-05-12 13:27:23 +00:00 · 2022-10-13 14:34:11 -04:00 · 2022-10-13 14:34:11 -04:00 · 8292337754
commit 8292337754
parent 95d2a447be 0268f5f844
840 changed files with 3511 additions and 3350 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -19674,6 +19674,11 @@
       "source_path": "education/windows/change-history-edu.md",
       "redirect_url": "/education/windows",
       "redirect_document_id": false
     },
     {
       "source_path": "education/windows/set-up-school-pcs-shared-pc-mode.md",
       "redirect_url": "/windows/configuration/set-up-shared-or-guest-pc",
       "redirect_document_id": false
     }
  ]
 }
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@ -14,6 +14,6 @@ items:
        tocHref: /education/windows
        topicHref: /education/windows/index
      - name: Windows
-        tocHref: /windows/security/
+        tocHref: /windows/configuration/
        topicHref: /education/windows/index
--- a/education/context/context.yml
+++ b/education/context/context.yml
@ -0,0 +1,4 @@
 ### YamlMime: ContextObject
 brand: windows
 breadcrumb_path: ../breadcrumb/toc.yml
 toc_rel: ../windows/toc.yml
--- a/education/docfx.json
+++ b/education/docfx.json
@ -32,6 +32,7 @@
      "ms.technology": "windows",
      "manager": "aaroncz",
      "breadcrumb_path": "/education/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-M365-IT",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@ -12,8 +12,10 @@ items:
      items:
      - name: Overview
        href: windows-11-se-overview.md
-      - name: Settings and CSP list
+      - name: Settings list
        href: windows-11-se-settings-list.md
      - name: Frequently Asked Questions (FAQ)
        href: windows-11-se-faq.yml
    - name: Windows in S Mode
      items:
      - name: Test Windows 10 in S mode on existing Windows 10 education devices
@ -22,8 +24,8 @@ items:
        href: enable-s-mode-on-surface-go-devices.md
    - name: Windows 10 editions for education customers
      href: windows-editions-for-education-customers.md
-    - name: Shared PC mode for school devices
+    - name: Considerations for shared and guest devices
-      href: set-up-school-pcs-shared-pc-mode.md
+      href: /windows/configuration/shared-devices-concepts?context=/education/context/context
    - name: Windows 10 configuration recommendations for education customers
      href: configure-windows-for-education.md
    - name: Take tests and assessments in Windows
@ -38,6 +40,8 @@ items:
      href: edu-take-a-test-kiosk-mode.md
    - name: Configure federated sign-in
      href: federated-sign-in.md
    - name: Configure Shared PC
      href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
    - name: Use the Set up School PCs app
      href: use-set-up-school-pcs-app.md
    - name: Change Windows edition
@ -96,4 +100,7 @@ items:
        href: set-up-school-pcs-whats-new.md
    - name: Take a Test technical reference
      href: take-a-test-app-technical.md
    - name: Shared PC technical reference
      href: /windows/configuration/shared-pc-technical?context=/education/context/context
--- a/education/windows/images/takeatest/flow-chart.png
+++ b/education/windows/images/takeatest/flow-chart.png
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@ -87,11 +87,15 @@ landingContent:
        links:
        - text: Take tests and assessments in Windows
          url: take-tests-in-windows.md
        - text: Considerations for shared and guest devices
          url: /windows/configuration/shared-devices-concepts?context=/education/context/context
        - text: Change Windows editions
          url: change-home-to-edu.md
        - text: "Deploy Minecraft: Education Edition"
          url: get-minecraft-for-education.md
      - linkListType: how-to-guide
        links:
        - text: Configure Take a Test in kiosk mode
          url: edu-take-a-test-kiosk-mode.md
        - text: Configure Shared PC
          url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
        - text: "Deploy Minecraft: Education Edition"
          url: get-minecraft-for-education.md
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@ -86,13 +86,7 @@ Automated Azure AD tokens expire after 180 days. The expiration date for each to
 ## Next steps    
 Learn more about setting up devices with the Set up School PCs app.  
 * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
 * [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
 When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@ -20,10 +20,10 @@ appliesto:
 # What's in my provisioning package?
 The Set up School PCs app builds a specialized provisioning package with school-optimized settings.
-A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp) article. 
+A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article.
 ## Shared PC Mode policies
-This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies:
+This table outlines the policies applied to devices in shared PC mode. If you select to optimize a device for use by a single student, you'll see differences in the following policies:
 * Disk level deletion
 * Inactive threshold
 * Restrict local storage
@ -128,7 +128,6 @@ Review the table below to estimate your expected provisioning time. A package th
 ## Next steps  
 Learn more about setting up devices with the Set up School PCs app.  
 * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 * [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
--- a/education/windows/set-up-school-pcs-shared-pc-mode.md
+++ b/education/windows/set-up-school-pcs-shared-pc-mode.md
@ -1,79 +0,0 @@
 ---
 title: Shared PC mode for school devices
 description: Describes how shared PC mode is set for devices set up with the Set up School PCs app.
 keywords: shared PC, school, set up school pcs
 ms.prod: windows
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
 ms.localizationpriority: medium
 ms.collection: education
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 08/10/2022
 ms.reviewer: 
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 ---  
 # Shared PC mode for school devices
 Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries.  A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours.
 Shared PC mode can be applied on devices running:
 * Windows 10 Pro
 * Windows 10 Pro Education
 * Windows 10 Education
 * Windows 10 Enterprise  
 To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](/windows/configuration/set-up-shared-or-guest-pc).  
 ## Windows Updates
 Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to:  
 * Wake nightly.  
 * Check for and install updates.  
 * Forcibly reboot, when necessary, to complete updates.  
 These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students.
 ## Default admin accounts in Azure Active Directory  
 By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer.  
 An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal.  
 ## Account deletion policies
 This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts. 
 ### Azure AD accounts
 The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts. 
 ### Guest and Kiosk accounts
 Guest accounts and accounts created through Kiosk are deleted after they sign out of their account.
 ### Local accounts
 Local accounts that you created before enabling shared PC mode aren't deleted. Local accounts that you create through the following path, after enabling PC mode, are not deleted: **Settings** app > **Accounts** > **Other people** > **Add someone**     
 ## Create custom Windows images
 Shared PC mode is compatible with custom Windows images.  
 To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`.
 Teachers can then run the Set up School PCs package on the computer.  
 ## Optimize device for use by a single student
 Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The  Set up School PCs app also offers the option to configure settings for devices that aren't shared.
 If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)  
 1. In the app, go to the **Create package** > **Settings** step. 
 2. Select **Optimize device for a single student, instead of a shared cart or lab**.  
 ## Next steps  
 Learn more about setting up devices with the Set up School PCs app.  
 * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
 When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@ -67,7 +67,6 @@ The following table describes the Set up School PCs app features and lists each
 ## Next steps  
 Learn more about setting up devices with the Set up School PCs app.  
 * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 * [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
 * [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@ -104,7 +104,6 @@ The Skype and Messaging apps are part of a selection of apps that are, by defaul
 ## Next steps    
 Learn how to create provisioning packages and set up devices in the app.
 * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
 * [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md)
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@ -34,7 +34,7 @@ There are different ways to use Take a Test, depending on the use case:
 - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
 - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
-![Set up and user flow for the Take a Test app.](images/takeatest/flow-chart.png)
+:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
 ## Create a secure assessment link
@ -95,6 +95,6 @@ To take the test, have the students open the link.
 ## Additional information
-Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/office/).
+Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d).
 To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@ -33,15 +33,10 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
 :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
 Select one of the following options to learn the next steps about the enrollment method you chose:
-
+> [!div class="op_single_selector"]
-> [!div class="nextstepaction"]
+> - [Automatic Intune enrollment via Azure AD join](enroll-aadj.md)
-> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md)
+> - [Bulk enrollment with provisioning packages](enroll-package.md)
-
+> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
 > [!div class="nextstepaction"]
 > [Next: Bulk enrollment with provisioning packages >](enroll-package.md)
 > [!div class="nextstepaction"]
 > [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md)
 <!-- Reference links in article -->
--- a/education/windows/windows-11-se-faq.yml
+++ b/education/windows/windows-11-se-faq.yml
@ -0,0 +1,68 @@
 ### YamlMime:FAQ
 metadata:
  title: Windows 11 SE Frequently Asked Questions (FAQ)
  description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.   
  ms.prod: windows
  ms.technology: windows
  author: paolomatarazzo
  ms.author: paoloma
  manager: aaroncz
  ms.reviewer: 
  ms.collection: education
  ms.topic: faq
  localizationpriority: medium
  ms.date: 09/14/2022
  appliesto:
  - ✅ <b>Windows 11 SE</b>
 title: Common questions about Windows 11 SE
 summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
 sections:
  - name: General
    questions:
      - question: What is Windows 11 SE?
        answer: |
          Windows 11 SE is a new cloud-first operating system that offers the power and reliability of Windows 11 with a simplified design and tools specially designed for schools.
          To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
      - question: Who is the Windows 11 SE designed for?
        answer: |
          Windows 11 SE is designed for students in grades K-8 who use a laptop provided by their school, in a 1:1 scenario.
      - question: What are the major differences between Windows 11 and Windows 11 SE?
        answer: |
          Windows 11 SE was created based on feedback from educators who wanted a distraction-free experience for their students. Here are some of the differences that you'll find in Windows 11 SE:
          - Experience a simplified user interface so you can stay focused on the important stuff
          - Only IT admins can install apps. Users will not be able to access the Microsoft Store or download apps from the internet
          - Use Snap Assist to maximize screen space on smaller screens with two-window snapping
          - Store your Desktop, Documents, and Photos folders in the cloud using OneDrive, so your work is backed up and easy to find
          - Express yourself and celebrate accomplishments with the *emoji and GIF panel* and *Stickers*
  - name: Deployment
    questions:
      - question: Can I load Windows 11 SE on any hardware? 
        answer: |
          Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
  - name: Applications and settings
    questions:
      - question: How can I install applications on Windows 11 SE?
        answer: |
          You can use Microsoft Intune to install applications on Windows 11 SE.
          For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps).
      - question: What apps will work on Windows 11 SE?
        answer: |
          Windows 11 SE supports all web applications and a curated list of desktop applications. You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list](/education/windows/windows-11-se-overview), then distribute it.
          For more information, see [Considerations for Windows 11 SE](/education/windows/tutorial-school-deployment/configure-device-apps#considerations-for-windows-11-se).
      - question: Why there's no application store on Windows 11 SE?
        answer: |
          IT Admins can manage system settings (including application installation and the application store) to ensure all students have a safe, distraction-free experience. On Windows SE devices, you have pre-installed apps from Microsoft, from your IT admin, and from your device manufacturer. You can continue to use web apps on the Microsoft Edge browser, as web apps do not require installation.
          For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps).
      - question: What does the error 0x87D300D9 mean in the Intune for Education portal?
        answer: |
          This error means that the app you are trying to install is not supported on Windows 11 SE. If you have an app that fails with this error, then:
          - Make sure the app is on the [available applications list](/education/windows/windows-11-se-overview#available-applications). Or, make sure your app is [approved for Windows 11 SE](/education/windows/windows-11-se-overview#add-your-own-applications)
          - If the app is approved, then it's possible the app is not packaged correctly. For more information, [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps)
          - If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own applications](/education/windows/windows-11-se-overview#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
  - name: Out-of-box experience (OOBE)
    questions:
      - question: My Windows 11 SE device is stuck in OOBE, how can I troubleshoot it?
        answer: |
          To access the Settings application during OOBE on a Windows 11 SE device, press <kbd>Shift</kbd>+<kbd>F10</kbd>, then select the accessibility icon :::image type="icon" source="images/icons/accessibility.svg"::: on the bottom-right corner of the screen. From the Settings application, you can troubleshoot the OOBE process and, optionally, trigger a device reset.
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -88,7 +88,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 |-----------------------------------------|-------------------|----------|------------------------------|
 | AirSecure                               | 8.0.0             | Win32    | AIR                          |
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
-| Brave Browser                           | 1.34.80           | Win32    | Brave                        |
+| Brave Browser                           | 106.0.5249.65     | Win32    | Brave                        |
 | Bulb Digital Portfolio                  | 0.0.7.0           | Store    | Bulb                         |
 | CA Secure Browser                       | 14.0.0            | Win32    | Cambium Development          |
 | Cisco Umbrella                          | 3.0.110.0         | Win32    | Cisco                        |
@ -167,14 +167,6 @@ When the app is ready, Microsoft will update you. Then, you add the app to the I
 For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1].
 ### 0x87D300D9 error with an app
 When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
 - Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications)
 - If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1]
 - If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
 ## Related articles
 - [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2]
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@ -17,7 +17,7 @@ appliesto:
 # Windows 11 SE for Education settings list
-Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings.
+Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings.
 This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).
@ -61,45 +61,6 @@ The following settings can't be changed.
 | Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
 | Apps  | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).  |
 ## What's available in the Settings app
 On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown.
 - Accessibility
 - Accounts
  - Email & accounts
 - Apps
 - Bluetooth & devices
  - Bluetooth
  - Printers & scanners
  - Mouse
  - Touchpad
  - Typing
  - Pen
  - AutoPlay
 - Network & internet
  - WiFi
  - VPN
 - Personalization
  - Taskbar
 - Privacy & security
 - System
  - Display
  - Notifications
  - Tablet mode
  - Multitasking
  - Projecting to this PC
 - Time & Language
  - Language & region
 ## Next steps
 [Windows 11 SE for Education overview](windows-11-se-overview.md)
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@ -52,7 +52,7 @@ ms.date: 08/01/2022
 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
 - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
 - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) <sup>Insider</sup>
+- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) <sup>Insider</sup>
 - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)<sup>10</sup>
 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@ -23,7 +23,7 @@ manager: aaroncz
    <a href="#mixedreality-aadgroupmembershipcachevalidityindays">MixedReality/AADGroupMembershipCacheValidityInDays</a>
  </dd>
  <dd>
-    <a href="#mixedreality-allowcaptiveportalpeforesignin">MixedReality/AllowCaptivePortalBeforeSignIn</a>
+    <a href="#mixedreality-allowcaptiveportalpeforelogon">MixedReality/AllowCaptivePortalBeforeLogon</a>
  </dd>
  <dd>
    <a href="#mixedreality-allowlaunchuriinsingleappkiosk">MixedReality/AllowLaunchUriInSingleAppKiosk</a>
@ -103,7 +103,7 @@ Steps to use this policy correctly:
 <hr/>
 <!--Policy-->
-<a href="" id="mixedreality-allowcaptiveportalpeforesignin"></a>**MixedReality/AllowCaptivePortalBeforeSignIn**  
+<a href="" id="mixedreality-allowcaptiveportalpeforelogon"></a>**MixedReality/AllowCaptivePortalBeforeLogon**  
 <!--SupportedSKUs-->
@ -127,11 +127,14 @@ Steps to use this policy correctly:
 <!--Description-->
 This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary.
-MixedReality/AllowCaptivePortalBeforeSignIn
+MixedReality/AllowCaptivePortalBeforeLogon
-The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn`
+The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon`
-Bool value
+Int value
 - 0: (Default) Off
 - 1: On
 <!--/Description-->
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@ -74,37 +74,35 @@ A boolean value that specifies whether the policies for education environment ar
 The supported operations are Add, Get, Replace, and Delete.
-The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
+The default value is Not Configured.
 In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
 <a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
-Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
+A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
 The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
 <a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
-Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
+An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
 The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
 <a href="" id="signinonresume"></a>**SignInOnResume**
-Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
+A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
 The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and its value in the SharedPC provisioning package is True.
 <a href="" id="sleeptimeout"></a>**SleepTimeout**
-The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
+The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes.
 The supported operations are Add, Get, Replace, and Delete.
-The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
+The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in SharedPC provisioning package is 300.
 <a href="" id="enableaccountmanager"></a>**EnableAccountManager**
 A boolean that enables the account manager for shared PC mode.
@ -131,12 +129,7 @@ Configures when accounts are deleted.
 The supported operations are Add, Get, Replace, and Delete.
-For Windows 10, version 1607, here's the list shows the supported values:
+This is the list of supported values:
 -   0 - Delete immediately.
 -   1 (default) - Delete at disk space threshold.
 For Windows 10, version 1703, here's the list of supported values:
 - 0 - Delete immediately.
 - 1 - Delete at disk space threshold.
@ -163,23 +156,23 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
 The supported operations are Add, Get, Replace, and Delete.
 <a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**
-Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
+Restricts the user from using local storage.
-The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
+The default value is Not Configured. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
 <a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
-Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
+Specifies the AUMID of the app to use with assigned access.
 - Value type is string.
 - Supported operations are Add, Get, Replace, and Delete.
 <a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
-Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
+Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID.
 Value type is string. Supported operations are Add, Get, Replace, and Delete.
 <a href="" id="inactivethreshold"></a>**InactiveThreshold**
-Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
+Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
 - The default value is Not Configured.
 - Value type is integer.
@ -188,7 +181,7 @@ Added in Windows 10, version 1703. Accounts will start being deleted when they h
 The default in the SharedPC provisioning package is 30.
 <a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
-Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
+Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.
 - Default value is Not Configured.
 - Value type is integer.
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@ -68,8 +68,6 @@
      href: kiosk-single-app.md
    - name: Set up a multi-app kiosk
      href: lock-down-windows-10-to-specific-apps.md
    - name: Set up a shared or guest PC
      href: set-up-shared-or-guest-pc.md
    - name: Kiosk reference information
      items:
        - name: More kiosk methods and reference information
@ -93,6 +91,14 @@
        - name: Troubleshoot kiosk mode issues
          href: kiosk-troubleshoot.md
 - name: Configure multi-user and guest devices 
  items:
    - name: Shared devices concepts
      href: shared-devices-concepts.md
    - name: Configure shared devices with Shared PC
      href: set-up-shared-or-guest-pc.md
    - name: Shared PC technical reference
      href: shared-pc-technical.md
 - name: Use provisioning packages
  items:
--- a/windows/configuration/images/icons/accessibility.svg
+++ b/windows/configuration/images/icons/accessibility.svg
@ -0,0 +1,3 @@
 <svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
 </svg>
--- a/windows/configuration/images/icons/group-policy.svg
+++ b/windows/configuration/images/icons/group-policy.svg
@ -0,0 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
 </svg>
--- a/windows/configuration/images/icons/intune.svg
+++ b/windows/configuration/images/icons/intune.svg
@ -0,0 +1,24 @@
 <svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
  <defs>
    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#0078d4" />
      <stop offset="0.82" stop-color="#5ea0ef" />
    </linearGradient>
    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#1490df" />
      <stop offset="0.98" stop-color="#1f56a3" />
    </linearGradient>
    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#d2ebff" />
      <stop offset="1" stop-color="#f0fffd" />
    </linearGradient>
  </defs>
  <title>Icon-intune-329</title>
  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
 </svg>
--- a/windows/configuration/images/icons/powershell.svg
+++ b/windows/configuration/images/icons/powershell.svg
@ -0,0 +1,20 @@
 <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
  <defs>
    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#32bedd" />
      <stop offset="0.175" stop-color="#32caea" />
      <stop offset="0.41" stop-color="#32d2f2" />
      <stop offset="0.775" stop-color="#32d4f5" />
    </linearGradient>
  </defs>
  <title>MsPortalFx.base.images-10</title>
  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
    <g>
      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
    </g>
  </g>
 </svg>
--- a/windows/configuration/images/icons/provisioning-package.svg
+++ b/windows/configuration/images/icons/provisioning-package.svg
@ -0,0 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
 </svg>
--- a/windows/configuration/images/icons/registry.svg
+++ b/windows/configuration/images/icons/registry.svg
@ -0,0 +1,22 @@
 <svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
  <defs>
    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#76bc2d" />
      <stop offset="0.32" stop-color="#73b82c" />
      <stop offset="0.65" stop-color="#6cab29" />
      <stop offset="0.99" stop-color="#5e9724" />
      <stop offset="1" stop-color="#5e9624" />
    </linearGradient>
    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#0078d4" />
      <stop offset="0.17" stop-color="#1c84dc" />
      <stop offset="0.38" stop-color="#3990e4" />
      <stop offset="0.59" stop-color="#4d99ea" />
      <stop offset="0.8" stop-color="#5a9eee" />
      <stop offset="1" stop-color="#5ea0ef" />
    </linearGradient>
  </defs>
  <title>Icon-general-18</title>
  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
 </svg>
--- a/windows/configuration/images/icons/windows-os.svg
+++ b/windows/configuration/images/icons/windows-os.svg
@ -0,0 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
  <path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
 </svg>
--- a/windows/configuration/images/shared-pc-intune.png
+++ b/windows/configuration/images/shared-pc-intune.png
--- a/windows/configuration/images/shared-pc-wcd.png
+++ b/windows/configuration/images/shared-pc-wcd.png
--- a/windows/configuration/images/sharedpc-guest-win11.png
+++ b/windows/configuration/images/sharedpc-guest-win11.png
--- a/windows/configuration/images/sharedpc-kiosk-win11se.png
+++ b/windows/configuration/images/sharedpc-kiosk-win11se.png
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@ -1,353 +1,153 @@
 ---
-title: Set up a shared or guest PC with Windows 10/11
+title: Set up a shared or guest Windows device
-description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios.
+description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.prod: w10
+ms.date: 10/15/2022
-author: lizgt2000
+ms.prod: windows
-ms.author: lizlong
+ms.technology: windows
-ms.topic: article
+ms.topic: reference
 ms.localizationpriority: medium
-ms.reviewer: sybruckm
+author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer:
 manager: aaroncz
-ms.collection: highpri
+ms.collection: 
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
-# Set up a shared or guest PC with Windows 10/11
+# Set up a shared or guest Windows device
 **Shared PC** offers options to facilitate the management and optimization of shared devices. The customizations offered by Shared PC are listed in the following table.
-**Applies to**
+| Area Name | Setting name and description|
 |---|---|
 |Shared PC mode | **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**: when enabled, **Shared PC mode** is turned on and different settings are configured in the local group policy object (LGPO). For a detailed list of settings enabled by Shared PC Mode in the LGPO, see the [Shared PC technical reference](shared-pc-technical.md#enablesharedpcmode-and-enablesharedpcmodewithonedrivesync).<ul><li>This setting controls the API: [IsEnabled][UWP-1]</li></ul>|
 | Account management | **EnableAccountManager**: when enabled, automatic account management is turned on. The following settings define the behavior of *account manager*: <ul><li> **DeletionPolicy**</li><li>**DiskLevelDeletion** </li><li>**DiskLevelCaching**</li><li>**InactiveThreshold**</li></ul>For more information, see the [Shared PC CSP documentation][WIN-3].<br><br>**AccountModel**: this option controls which types of users can sign-in to the device, and can be used to enable the Guest and Kiosk accounts. For more information, see the [Shared PC CSP documentation][WIN-3].<br><br>**KioskModeAUMID**: configures an application (referred as Application User Model ID - AUMID) to automatically execute when the kiosk account is used to sign in. A new account will be created and will use assigned access to only run the app specified by the AUMID. [Find the Application User Model ID of an installed app][WIN-7].<br><br>**KioskModeUserTileDisplayText**: sets the display text on the kiosk account if **KioskModeAUMID** has been set.|
 | Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).<ul><li>This setting controls the API: [IsEducationEnvironment][UWP-2]</li></ul><br>**SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).<br><br>**SleepTimeout**: specifies all timeouts for when the PC should sleep.<br><br>**SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.<br><br>**MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).<br><br>**MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.<br><br> **RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.<ul><li>This setting controls the API: [ShouldAvoidLocalStorage][UWP-3]</li></ul>|
- Windows 10
+## Configure Shared PC
 - Windows 11
-Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise.
+Shared PC can be configured using the following methods:
-> [!NOTE]
+- Microsoft Intune/MDM
-> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
+- Provisioning package (PPKG)
 - PowerShell script
-## Shared PC mode concepts
+Follow the instructions below to configure your devices, selecting the option that best suits your needs.
 A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. 
-### Account models
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
-### Account management
+To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Shared PC`**:
 When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
-### Maintenance and sleep
+:::image type="content" source="./images/shared-pc-intune.png" alt-text="Screenshot that shows the Shared PC policies in the Intune settings catalog." lightbox="./images/shared-pc-intune.png" border="True":::
 Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
-While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates.  
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
-Use one of the following methods to configure Windows Update:
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [SharedPC CSP][WIN-3].
- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
+#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 - MDM: Set **Update/AllowAutoUpdate** to `4`. 
 - Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`. 
-[Learn more about the AllowAutoUpdate settings](/windows/client-management/mdm/policy-configuration-service-provider#Update_AllowAutoUpdate)
+To configure devices using a provisioning package, [create a provisioning package][WIN-1] using WCD, and use the settings listed under the category **`SharedPC`**:
-### App behavior
+:::image type="content" source="./images/shared-pc-wcd.png" alt-text="Screenshot that shows the Shared PC policies in WCD." lightbox="./images/shared-pc-wcd.png" border="False":::
-Apps can take advantage of shared PC mode with the following three APIs:  
+For a list and description of CSP settings exposed in Windows Configuration Designer, see the [SharedPC WCD reference][WIN-4].
- [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.   
+Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
 - [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.  
 - [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.  
 #### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
-### Customization
+To configure devices using a PowerShell script, you can use the [MDM Bridge WMI Provider][WIN-6].
 Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table.
-| Setting | Value |
+> [!TIP]
-|:---|:---|
+> PowerShell scripts can be executed as scheduled tasks via Group Policy.
 | EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) </br></br>Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.  |
 | AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. <br/><br/>Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC. <br/><br/>  - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/>  - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>-   **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
 | AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/><br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign-off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. <br/>- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold**  |
 | AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.   |
 | AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.   |
 | AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted.   | 
 | AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
 | AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82))   |  
 | AccountManagement: KioskModeUserTileDisplayText | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |  
 | Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value.   |
 | Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.  |  
 | Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings)  | 
 | Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows client configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
 | Customization: SetPowerPolicies |  When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close)  |
 | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep.     |
 | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies.     |
 [Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts.
-## Configuring Shared PC mode for Windows
+> [!IMPORTANT]
 > For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
 >
 > To test a PowerShell script, you can:
 > 1. [Download the psexec tool](/sysinternals/downloads/psexec)
 > 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
 > 1. Run the script in the PowerShell session
-You can configure Windows to be in shared PC mode in a couple different ways:
+Edit the following sample PowerShell script to customize the settings that you want to configure:
 ```powershell
 $namespaceName = "root\cimv2\mdm\dmmap"
 $parentID="./Vendor/MSFT/Policy/Config"
 $className = "MDM_SharedPC"
 $cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
 if (-not ($cimObject)) {
   $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
 }
 $cimObject.EnableSharedPCMode = $True
 $cimObject.SetEduPolicies = $True
 $cimObject.SetPowerPolicies = $True
 $cimObject.MaintenanceStartTime = 0
 $cimObject.SignInOnResume = $True
 $cimObject.SleepTimeout = 0
 $cimObject.EnableAccountManager = $True
 $cimObject.AccountModel = 2
 $cimObject.DeletionPolicy = 1
 $cimObject.DiskLevelDeletion = 25
 $cimObject.DiskLevelCaching = 50
 $cimObject.RestrictLocalStorage = $False
 $cimObject.KioskModeAUMID = ""
 $cimObject.KioskModeUserTileDisplayText = ""
 $cimObject.InactiveThreshold = 0
 Set-CimInstance -CimInstance $cimObject
 ```
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps:
+For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-5].
-  1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+---
  2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**.
  3. Enter the following properties:
     - **Platform**: Select **Windows 10 and later**.
     - **Profile**: Select **Templates** > **Shared multi-user device**.
  4. Select **Create**.
  5. In **Basics**, enter the following properties:
     - **Name**: Enter a descriptive name for the new profile.
     - **Description**: Enter a description for the profile. This setting is optional, but recommended.
  6. Select **Next**.
  7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
  8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
     > [!div class="mx-imgBorder"]
     > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) 
  11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
 - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
     ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png)
 - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
  ```powershell
  $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
  $sharedPC.EnableSharedPCMode = $True
  $sharedPC.SetEduPolicies = $True
  $sharedPC.SetPowerPolicies = $True
  $sharedPC.MaintenanceStartTime = 0
  $sharedPC.SignInOnResume = $True
  $sharedPC.SleepTimeout = 0
  $sharedPC.EnableAccountManager = $True
  $sharedPC.AccountModel = 2
  $sharedPC.DeletionPolicy = 1
  $sharedPC.DiskLevelDeletion = 25
  $sharedPC.DiskLevelCaching = 50
  $sharedPC.RestrictLocalStorage = $False
  $sharedPC.KioskModeAUMID = ""
  $sharedPC.KioskModeUserTileDisplayText = ""
  $sharedPC.InactiveThreshold = 0
  Set-CimInstance -CimInstance $sharedPC
  Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
  ```
 ### Create a provisioning package for shared use
 1. [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
 2. Open Windows Configuration Designer. 
 3. On the **Start page**, select **Advanced provisioning**.
 4. Enter a name and (optionally) a description for the project, and click **Next**.
 5. Select **All Windows desktop editions**, and click **Next**.
 6. Click **Finish**. Your project opens in Windows Configuration Designer.
 7. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
 8. On the **File** menu, select **Save.**
 9. On the **Export** menu, select **Provisioning package**.
 10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
 11. Set a value for **Package Version**.
    > [!TIP]
    > You can make changes to existing packages and change the version number to update previously applied packages.
 12. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
    - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
    - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
      > [!IMPORTANT]
      > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
 13. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
    Optionally, you can click **Browse** to change the default output location.
 14. Click **Next**.
 15. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
 17. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
    -   Shared network folder
    -   SharePoint site
    -   Removable media (USB/SD) (select this option to apply to a PC during initial setup)
 ### Apply the provisioning package
 Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
 > [!NOTE]
 > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
 ## Guidance for accounts on shared PCs
-* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out.
+- Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
 * On a Windows PC joined to Azure Active Directory:
    * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
    * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
+- The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. To add the account SID to the registry key using PowerShell, use the following example as a reference:
 * If admin accounts are necessary on the PC
    * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
    * Create admin accounts before setting up shared PC mode, or 
    * Create exempt accounts before signing out when turning shared pc mode on.
 * The account management service supports accounts that are exempt from deletion.
    * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
    * To add the account SID to the registry key using PowerShell:
    ```powershell
    $adminName = "LocalAdmin"
    $adminPass = 'Pa$$word123'
-        iex "net user /add $adminName $adminPass"
+    invoke-expression "net user /add $adminName $adminPass"
    $user = New-Object System.Security.Principal.NTAccount($adminName) 
    $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) 
    $sid = $sid.Value;
    New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
    ```
-## Policies set by shared PC mode
+## Troubleshooting Shared PC
-Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
+To troubleshoot Shared PC, you can use the following tools:
 - Check the log `C:\Windows\SharedPCSetup.log`
 - Check the registry keys under `HKLM\Software\Microsoft\Windows\CurrentVersion\SharedPC`
  - `AccountManagement` key contains settings on how profiles are managed
  - `NodeValues` contains what values are set for the features managed by Shared PC
-> [!IMPORTANT]
+## Technical reference
 > It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
-### Admin Templates > Control Panel > Personalization
+- For a list of settings configured by the different options offered by Shared PC mode, see the [Shared PC technical reference](shared-pc-technical.md).
 - For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
 - For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4].
-|Policy Name| Value|When set?|
+-----------
 |--- |--- |--- |
 |Prevent enabling lock screen slide show|Enabled|Always|
 |Prevent changing lock screen and logon image|Enabled|Always|
-### Admin Templates > System > Power Management > Button Settings
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
 [WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
 [WIN-3]: /windows/client-management/mdm/sharedpc-csp
 [WIN-4]: /windows/configuration/wcd/wcd-sharedpc
 [WIN-5]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider
 [WIN-6]: /windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal
 [WIN-7]: /previous-versions/windows/embedded/dn449300(v=winembedded.82)
-|Policy Name| Value|When set?|
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
-|--- |--- |--- |
+[MEM-2]: /mem/intune/configuration/settings-catalog
 |Select the Power button action (plugged in)|Sleep|SetPowerPolicies=True|
 |Select the Power button action (on battery)|Sleep|SetPowerPolicies=True|
 |Select the Sleep button action (plugged in)|Sleep|SetPowerPolicies=True|
 |Select the lid switch action (plugged in)|Sleep|SetPowerPolicies=True|
 |Select the lid switch action (on battery)|Sleep|SetPowerPolicies=True|
-### Admin Templates > System > Power Management > Sleep Settings
+[UWP-1]: /uwp/api/windows.system.profile.sharedmodesettings
-
+[UWP-2]: /uwp/api/windows.system.profile.educationsettings
-|Policy Name| Value|When set?|
+[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
 |--- |--- |--- |
 |Require a password when a computer wakes (plugged in)|Enabled|SignInOnResume=True|
 |Require a password when a computer wakes (on battery)|Enabled|SignInOnResume=True|
 |Specify the system sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
 |Specify the system sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True|
 |Turn off hybrid sleep (plugged in)|Enabled|SetPowerPolicies=True|
 |Turn off hybrid sleep (on battery)|Enabled|SetPowerPolicies=True|
 |Specify the unattended sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
 |Specify the unattended sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True|
 |Allow standby states (S1-S3) when sleeping (plugged in)|Enabled|SetPowerPolicies=True|
 |Allow standby states (S1-S3) when sleeping (on battery)|Enabled |SetPowerPolicies=True|
 |Specify the system hibernate timeout (plugged in)|Enabled, 0|SetPowerPolicies=True|
 |Specify the system hibernate timeout (on battery)|Enabled, 0|SetPowerPolicies=True|
 ### Admin Templates>System>Power Management>Video and Display Settings
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Turn off the display (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
 |Turn off the display (on battery|*SleepTimeout*|SetPowerPolicies=True|
 ### Admin Templates>System>Power Management>Energy Saver Settings
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Energy Saver Battery Threshold (on battery)|70|SetPowerPolicies=True|
 ### Admin Templates>System>Logon
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Show first sign-in animation|Disabled|Always|
 |Hide entry points for Fast User Switching|Enabled|Always|
 |Turn on convenience PIN sign-in|Disabled|Always|
 |Turn off picture password sign-in|Enabled|Always|
 |Turn off app notification on the lock screen|Enabled|Always|
 |Allow users to select when a password is required when resuming from connected standby|Disabled|SignInOnResume=True|
 |Block user from showing account details on sign-in|Enabled|Always|
 ### Admin Templates>System>User Profiles
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Turn off the advertising ID|Enabled|SetEduPolicies=True|
 ### Admin Templates>Windows Components
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Do not show Windows Tips |Enabled|SetEduPolicies=True|
 |Turn off Microsoft consumer experiences |Enabled|SetEduPolicies=True|
 |Microsoft Passport for Work|Disabled|Always|
 |Prevent the usage of OneDrive for file storage|Enabled|Always|
 ### Admin Templates>Windows Components>Biometrics
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Allow the use of biometrics|Disabled|Always|
 |Allow users to log on using biometrics|Disabled|Always|
 |Allow domain users to log on using biometrics|Disabled|Always|
 ### Admin Templates>Windows Components>Data Collection and Preview Builds
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Toggle user control over Insider builds|Disabled|Always| 
 |Disable pre-release features or settings|Disabled|Always|
 |Do not show feedback notifications|Enabled|Always|
 |Allow Telemetry|Basic, 0|SetEduPolicies=True|
 ### Admin Templates>Windows Components>File Explorer
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Show lock in the user tile menu|Disabled|Always|
 ### Admin Templates>Windows Components>Maintenance Scheduler
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Automatic Maintenance Activation Boundary|*MaintenanceStartTime*|Always|
 |Automatic Maintenance Random Delay|Enabled, 2 hours|Always|
 |Automatic Maintenance WakeUp Policy|Enabled|Always|
 ### Admin Templates>Windows Components>Windows Hello for Business
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Use phone sign-in|Disabled|Always|
 |Use Windows Hello for Business|Disabled|Always|
 |Use biometrics|Disabled|Always|
 ### Admin Templates>Windows Components>OneDrive
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Prevent the usage of OneDrive for file storage|Enabled|Always|
 ### Windows Settings>Security Settings>Local Policies>Security Options
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always|
 |Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always|
 |Shutdown: Allow system to be shut down without having to log on|Disabled|Always|
 |User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|
--- a/windows/configuration/shared-devices-concepts.md
+++ b/windows/configuration/shared-devices-concepts.md
@ -0,0 +1,74 @@
 ---
 title: Manage multi-user and guest Windows devices
 description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
 ms.date: 10/15/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer:
 manager: aaroncz
 ms.collection: 
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Manage multi-user and guest Windows devices with Shared PC
 Windows allows multiple users to sign in and use the same device, which is useful in scenarios like touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
 As more users access the same device, more resources on the devices are used. This can lead to performance issues and a degraded user experience.
 To optimize multi-user and guest devices, Windows provides options through a feature called *Shared PC*. These settings are designed to improve the experience for all users on the device, and to reduce the administrative overhead caused by the maintenance of multiple user profiles.
 This article describes the different options available in Shared PC.
 ## Shared PC mode
 A Windows device enabled for *Shared PC mode* is designed to be maintenance-free with high reliability. Devices configured in Shared PC mode have different settings designed to improve the experience for all users accessing a shared device.
 ## Account management
 When *Account management* is configured, user profiles are automatically deleted to free up disk space and resources. Account management is performed both at sign-out time and during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out, based on disk space thresholds, or based on inactivity thresholds.
 > [!IMPORTANT]
 > Shared PC is designed to take advantage of maintenance time periods, which run while the device is not in use. Therefore, devices should be put to **sleep** instead of shut down, so that they can wake up to perform maintenance tasks.
 > [!TIP]
 > While Shared PC does not configure the Windows Update client, it is recommended to configure Windows Update to automatically install updates and reboot during maintenance hours. This will help ensure the device is always up to date without interrupting users when the device is in use.
 ### Account models
 Shared PC offers the possibility to enable a **Guest** option on the sign-in screen. The Guest option doesn't require any user credentials or authentication, and creates a new local account each time it's used with access to the desktop. A **Guest button** is shown on the sign-in screen that a user can select.
 :::image type="content" source="./images/sharedpc-guest-win11.png" alt-text="Windows 11 sign-in screen with Guest option enabled." border="True":::
 Shared PC also offers a **Kiosk** mode, which automatically executes a specific application when the kiosk account signs-in. This is useful in scenarios where the device is accessed for a specific purpose, such as test taking in a school.
 :::image type="content" source="./images/sharedpc-kiosk-win11se.png" alt-text="Windows 11 sign-in screen with Guest and Kiosk options enabled." border="True":::
 ## Advanced customizations
 Shared PC offers advanced customizations for shared devices, such as specific settings for education devices, low end devices, and more.
 Shared devices require special considerations regarding power settings. Shared PC makes it easy to configure power settings for shared devices. The power settings are configured in the local group policy object (LGPO).
 > [!NOTE]
 > For devices without Advanced Configuration and Power Interface (ACPI) wake alarms, Shared PC will override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
 ## Additional information
 - To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md).
 - For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md).
 - For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
 - For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4].
 -----------
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
 [WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
 [WIN-3]: /windows/client-management/mdm/sharedpc-csp
 [WIN-4]: /windows/configuration/wcd/wcd-sharedpc
--- a/windows/configuration/shared-pc-technical.md
+++ b/windows/configuration/shared-pc-technical.md
@ -19,11 +19,16 @@ appliesto:
 # Shared PC technical reference
-## Local group policy settings list
+This article details the settings configured by the different options of Shared PC.
-The different options offered by Shared PC configure the local group policy object (LGPO) with different settings. The following tables list the settings configured by each Shared PC option.
+> [!IMPORTANT]
 > The behavior of some options have changed over time. This article describes the current settings applied by Shared PC.
-## EnableSharedPCMode
+## EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync
 EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable **Shared PC mode**. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it.
 When enabling Shared PC mode, the following settings in the local GPO are configured:
 | Policy setting | Status |
 |--|--|
@ -41,11 +46,12 @@ The different options offered by Shared PC configure the local group policy obje
 | Windows Components/Biometrics/Allow the use of biometrics | Disabled |
 | Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
 | Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
 | Windows Components/Data Collection and Preview Builds/Disable pre-release features or settings | Disabled (all experimentations are turned off) |
 | Windows Components/Data Collection and Preview Builds/Do not show feedback notifications | Enabled |
 | Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Disabled |
 | Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
 | Windows Components/File History/Turn off File History | Enabled |
-| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
+| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage |**Enabled** if using EnableSharedPCMode<br><br>**Disabled** is using EnableSharedPCModeWithOneDriveSync |
 | Windows Components/Windows Hello for Business/Use biometrics | Disabled |
 | Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
 | Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
@ -53,14 +59,13 @@ The different options offered by Shared PC configure the local group policy obje
 | Extra registry setting  | Status |
 |-------------------------------------------------------------------------------------------------------------------|----------|
 | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
 | Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting (Disable pre-release features or settings) | 0 |
 | Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 |
 ## SetEDUPolicy
-SetEDUPolicy configures the following settings:
+By enabling SetEDUPolicy, the following settings in the local GPO are configured:
-| LGPO setting | Status |
+| Policy setting | Status |
 |--|--|
 | System/User Profiles/Turn off the advertising ID | Enabled |
 | Windows Components/Cloud Content/Do not show Windows tips | Enabled |
@ -68,68 +73,58 @@ SetEDUPolicy configures the following settings:
 ## SetPowerPolicies
-SetPowerPolicies configures the following settings:
+By enabling SetPowerPolicies, the following settings in the local GPO are configured:
-| LGPO setting | Status |
+| Policy setting | Status|
 |--|--|
-| System/Power Management/Button Settings/Select the lid switch action (on battery) | Enabled --> Sleep |
+| System/Power Management/Button Settings/Select the lid switch action (on battery) | Enabled > Sleep |
-| System/Power Management/Button Settings/Select the lid switch action (plugged in) | Enabled --> Sleep |
+| System/Power Management/Button Settings/Select the lid switch action (plugged in) | Enabled > Sleep |
-| System/Power Management/Button Settings/Select the Power button action (on battery) | Enabled --> Sleep |
+| System/Power Management/Button Settings/Select the Power button action (on battery) | Enabled > Sleep |
-| System/Power Management/Button Settings/Select the Power button action (plugged in) | Enabled --> Sleep |
+| System/Power Management/Button Settings/Select the Power button action (plugged in) | Enabled > Sleep |
-| System/Power Management/Button Settings/Select the Sleep button action (on battery) | Enabled --> Sleep |
+| System/Power Management/Button Settings/Select the Sleep button action (on battery) | Enabled > Sleep |
-| System/Power Management/Button Settings/Select the Sleep button action (plugged in) | Enabled --> Sleep |
+| System/Power Management/Button Settings/Select the Sleep button action (plugged in) | Enabled > Sleep |
-| System/Power Management/Energy Saver Settings/Energy Saver Battery Threshold (on battery) | Enabled --> 70% |
+| System/Power Management/Energy Saver Settings/Energy Saver Battery Threshold (on battery) | Enabled > 70% |
 | System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (on battery) | Enabled |
 | System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
-| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Disables hibernation) |
+| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Hibernation disabled) |
-| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Disables hibernation) |
+| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Hibernation disabled) |
 | System/Power Management/Sleep Settings/Turn off hybrid sleep (on battery) | Enabled |
 | System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled |
 ## MaintenanceStartTime
 By enabling MaintenanceStartTime, the following settings in the local GPO are configured:
 | Policy setting | Status|
 |--------------------------------------------------------------------------------------|--------------------------------|
 | Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) |
 | Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay  | Enabled PT2H (2 hours) |
 | Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled  |
 ## SignInOnResume
-SignInOnResume configures the following settings:
+By enabling SignInOnResume, the following settings in the local GPO are configured:
-| LGPO setting | Status |
+| Policy setting | Status|
 |--|--|
 | System/Logon/Allow users to select when a password is required when resuming from connected standby | Disabled |
 | System/Power Management/Sleep Settings/Require a password when a computer wakes (on battery) | Enabled |
 | System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled |
-## MaintenanceStartTime
+## EnableAccountManager
-| Policy setting | Status |
+By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`.
 |--------------------------------------------------------------------------------------|--------------------------------|
 | Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) |
 | Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay  | Enabled PT2H |
 | Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled  |
-## Enableaccountmanager
+## Shared PC APIs and app behavior
-Enables scheduled task:
+Applications can take advantage of Shared PC mode with the following three APIs:  
 \Microsoft\Windows\SharedPC\,"Account Cleanup"
-[SharedModeSettings.ShouldAvoidLocalStorage Property](/uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage)
+- [**IsEnabled**][API-1] - This API informs applications when the device is configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
 - [**ShouldAvoidLocalStorage**][API-2] - This API informs applications when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.  
 - [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.  
-Account Model has been set to not configured --> no GPO changes --> removes Guest from login screen
+-----------
 Restrict Local Storage has been set to not configured --> no GPO changes
 removed all diskleveldeletion, threshold --> no GPO changes
-
+[API-1]: /uwp/api/windows.system.profile.sharedmodesettings.isenabled
-
+[API-2]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
-
+[API-3]: /uwp/api/windows.system.profile.educationsettings
 ##### to check
 ### Windows Settings>Security Settings>Local Policies>Security Options
 |Policy Name| Value|When set?|
 |--- |--- |--- |
 |Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always|
 |Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always|
 |Shutdown: Allow system to be shut down without having to log on|Disabled|Always|
 |User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@ -1,6 +1,6 @@
 ---
-title: SharedPC (Windows 10)
+title: SharedPC
-description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows using Windows Configuration Designer.
 ms.prod: w10
 author: aczechowski
 ms.localizationpriority: medium
@ -13,8 +13,7 @@ manager: dougeby
 # SharedPC (Windows Configuration Designer reference)
-Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. 
+Use SharedPC settings to optimize Windows devices for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.
 ## Applies to
@ -37,16 +36,18 @@ Use these settings to configure settings for accounts allowed on the shared PC.
 | KioskModeAUMID  | String  | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. The app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82))  |
 | KioskModeUserTileDisplayText  | String  | Sets the display text on the kiosk account if **KioskModeAUMID** has been set.  |
 ## EnableSharedPCMode
-Set as **True**. When set to **False**, shared PC mode isn't turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
+Set as **True** to enable **Shared PC Mode**. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
 ## EnableSharedPCModeWithOneDriveSync
 Set as **True** to enable **Shared PC Mode**. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
 Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**.
 ## PolicyCustomization
-Use these settings to configure policies for shared PC mode.
+Use these settings to configure additional Shared PC policies.
 | Setting | Value | Description |
 | --- | --- | --- |
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio
 Write-Output "$(Get-TS): Mounting WinRE"
 Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update
+# Add servicing stack update (Step 1 from the table)
-# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
 # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
 # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
 # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
 # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
 # combined cumulative update can be installed. 
-# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# This error should be caught and ignored, as the last step will be to apply the cumulative update 
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
 # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Now, attempt the combined cumulative update.
 # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should 
 # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct 
 # packages installed.
 try
 {
-    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null  
 }
 Catch
 {
@ -221,6 +228,13 @@ Catch
    }
 }
 # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
 # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
 # update. This second approach is commented out below.
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
 # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
 #
 # Optional: Add the language to recovery environment
 #
@ -301,21 +315,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
    Write-Output "$(Get-TS): Mounting WinPE"
    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
-    # Add SSU
+    # Add servicing stack update (Step 9 from the table)
-    # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+    # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-    # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+    # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
    # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
    # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
    # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
    # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
    # combined cumulative update can be installed. 
-    # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+    # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null  
    # Now, attempt the combined cumulative update.
    # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
    # This error should be caught and ignored, as the last step will be to apply the cumulative update 
    # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
    Write-Output "$(Get-TS): Adding package $SSU_PATH"
    try
    {
-        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null  
    }
    Catch
    {
@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
        }
    }
    # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
    # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
    # update. This second approach is commented out below.
    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null 
    # Install lp.cab cab
    Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
    Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t
 # update Main OS
 #
-# Add servicing stack update
+# Add servicing stack update (Step 18 from the table)
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
 # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
 # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
 # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
 # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, 
 # and installed first before the combined cumulative update can be installed. 
 # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
 # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
 # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
 Write-Output "$(Get-TS): Adding package $LCU_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null  
 # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
 # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
 # update. This second approach is commented out below.
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
 # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
 # Optional: Add language to main OS
 Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@ -31,3 +31,18 @@ After you've completed enrollment in Windows Autopatch, some management settings
 ## Windows Autopatch configurations
 Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations.
 ## Windows Autopatch tenant actions
 The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**.
 > [!IMPORTANT]
 > Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.
 The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed.
 ### Tenant action severity types
 | Severity | Description |
 | ----- | ----- |
 | Critical | You must take action as soon as possible. If no action is taken, the Windows Autopatch service may be affected. |
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
@ -1,5 +1,5 @@
 ---
-title: Windows quality update communications
+title: Windows quality and feature update communications
 description:  This article explains Windows quality update communications
 ms.date: 05/30/2022
 ms.prod: w11
@ -14,7 +14,7 @@ msreviewer: hathind
 # Windows quality update communications
-There are three categories of communication that are sent out during a Windows quality update:
+There are three categories of communication that are sent out during a Windows quality and feature update:
 - [Standard communications](#standard-communications)
 - [Communications during release](#communications-during-release)
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@ -52,7 +52,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 | Enterprise application name | Usage | Permissions |
 | ----- | ------ | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
 > [!NOTE]
 > Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@ -52,7 +52,7 @@ Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy
 The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
-The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
+The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
 Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
@ -60,13 +60,24 @@ For more information about the diagnostic data collection of Microsoft Windows 1
 ## Tenant access
-Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
+Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
 | Enterprise application name | Usage | Permissions |
 | ----- | ----- | ----- |
 | Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul>|
 ### Service accounts
 > [!IMPORTANT]
 > Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
 Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
 | Account name | Usage | Mitigating controls |
 | ----- | ----- | -----|
-| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive login permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
+| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive sign-in permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
-| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is extremely limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
+| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
-| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
+| MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
 ## Microsoft Windows Update for Business
@ -90,7 +101,7 @@ Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatc
 Windows Autopatch follows a change control process as outlined in our service communication framework.
-We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center of both security incidents and major changes to the service.
+We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center about security incidents and major changes to the service.
 Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -25,7 +25,7 @@ appliesto:
 ## Default Enablement
-Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
+Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
 ### Requirements for automatic enablement
@ -33,18 +33,26 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
 |Component|Requirement|
 |---|---|
-|Operating System|Windows 11 Enterprise 22H2|
+|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**|
 |Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
-|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
+|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
 > [!NOTE]
 > If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
 > [!NOTE]
 > Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro).
 > 
 > To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard).
 ## Enable Windows Defender Credential Guard
 Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 > [!NOTE]
 > Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
 ### Enable Windows Defender Credential Guard by using Group Policy
 You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
@ -230,24 +238,54 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 ## Disable Windows Defender Credential Guard
-To disable Windows Defender Credential Guard, you can use the following set of procedures or the [HVCI and Windows Defender Credential Guard hardware readiness tool](#disable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
+Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and did not have it enabled prior to the update, it is sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
-1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**).
+If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. Note that the default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
-1. Delete the following registry settings:
+If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
 Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys).
 Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine).
 For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security).
 ### Disabling Windows Defender Credential Guard using Group Policy
 If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.
 1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled":
   :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled.":::
 1. Restart the machine.
 ### Disabling Windows Defender Credential Guard using Registry Keys
 If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it is sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
 1. Change the following registry settings to 0:
   - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
-1. If you also wish to disable virtualization-based security delete the following registry settings:
+     > [!NOTE]
     > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0.
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity`
+1. Restart the machine.
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures`
+### Disabling Windows Defender Credential Guard with UEFI Lock
-     > [!IMPORTANT]
+If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change.
-     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+
 1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled".
 1. Change the following registry settings to 0:
   - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
 1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
@ -262,37 +300,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
   mountvol X: /d
   ```
-1. Restart the PC.
+1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine.
 1. Accept the prompt to disable Windows Defender Credential Guard.
 1. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
    > [!NOTE]
    > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
    >
    > ```cmd
    > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
    > bcdedit /set vsmlaunchtype off
    > ```
 For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](../../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
 > [!NOTE]
 > Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
 ### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
 You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 ```powershell
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
 ```
 > [!IMPORTANT]  
 > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 >
 > This is a known issue.
 ### Disable Windows Defender Credential Guard for a virtual machine
@ -301,3 +309,31 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m
 ```powershell
 Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ```
 ## Disabling Virtualization-Based Security
 Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS.
 > [!IMPORANT]
 > Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects.
 1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled".
 1. Delete the following registry settings:
   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity`
   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures`
     > [!IMPORTANT]
     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
 1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above:
     >
     > ```cmd
     > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
     > bcdedit /set vsmlaunchtype off
     > ```
 1. Restart the PC.
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -101,7 +101,7 @@ The following tables describe baseline protections, plus protections for improve
 |Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
+|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
--- a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png
+++ b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -16,7 +16,7 @@ appliesto:
 - ✅ <b>Hybrid deployment</b>
 - ✅ <b>Cloud Kerberos trust</b>
 ---
-# Hybrid Cloud Kerberos Trust Deployment (Preview)
+# Hybrid Cloud Kerberos Trust Deployment
 Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@ -9,8 +9,8 @@ ms.date: 10/16/2017
 manager: aaroncz
 ms.topic: article
 appliesto: 
- ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b> 
+  - ✅ <b>Windows 11</b>
 ---
 # How Windows Hello for Business works in Windows devices
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@ -3,14 +3,14 @@ title: Advanced security audit policy settings (Windows 10)
 description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
 ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
-ms.author: dansimp
+ms.author: vinpa
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
-manager: dansimp
+manager: aaroncz
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@ -3,14 +3,14 @@ title: Advanced security audit policies (Windows 10)
 description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
 ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
 ms.reviewer: 
-ms.author: dansimp
+ms.author: vinpa
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
-manager: dansimp
+manager: aaroncz
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@ -6,11 +6,11 @@ ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@ -3,14 +3,14 @@ title: Apply a basic audit policy on a file or folder (Windows 10)
 description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
 ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
 ms.reviewer: 
-ms.author: dansimp
+ms.author: vinpa
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
-manager: dansimp
+manager: aaroncz
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@ -3,14 +3,14 @@ title: Audit Account Lockout (Windows 10)
 description: The policy setting, Audit Account Lockout, enables you to audit security events  generated by a failed attempt to log on to an account that is locked out.
 ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@ -3,14 +3,14 @@ title: Audit Application Generated (Windows 10)
 description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
 ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@ -3,14 +3,14 @@ title: Audit Application Group Management (Windows 10)
 description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
 ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@ -3,14 +3,14 @@ title: Audit Audit Policy Change (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
 ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@ -3,14 +3,14 @@ title: Audit Authentication Policy Change (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
 ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@ -3,14 +3,14 @@ title: Audit Authorization Policy Change (Windows 10)
 description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
 ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@ -3,14 +3,14 @@ title: Audit Central Access Policy Staging (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
 ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@ -3,14 +3,14 @@ title: Audit Certification Services (Windows 10)
 description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
 ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@ -3,14 +3,14 @@ title: Audit Computer Account Management (Windows 10)
 description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
 ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@ -3,14 +3,14 @@ title: Audit Credential Validation (Windows 10)
 description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
 ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@ -3,14 +3,14 @@ title: Audit Detailed Directory Service Replication (Windows 10)
 description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
 ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@ -3,14 +3,14 @@ title: Audit Detailed File Share (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
 ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@ -3,14 +3,14 @@ title: Audit Directory Service Access (Windows 10)
 description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (ADA DS) object is accessed.
 ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@ -3,14 +3,14 @@ title: Audit Directory Service Changes (Windows 10)
 description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
 ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@ -3,14 +3,14 @@ title: Audit Directory Service Replication (Windows 10)
 description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
 ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@ -3,14 +3,14 @@ title: Audit Distribution Group Management (Windows 10)
 description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
 ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@ -3,14 +3,14 @@ title: Audit DPAPI Activity (Windows 10)
 description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls  to the data protection application interface (DPAPI) generate audit events.
 ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@ -3,14 +3,14 @@ title: Audit File Share (Windows 10)
 description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
 ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@ -3,14 +3,14 @@ title: Audit File System (Windows 10)
 description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
 ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@ -3,14 +3,14 @@ title: Audit Filtering Platform Connection (Windows 10)
 description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
 ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@ -3,14 +3,14 @@ title: Audit Filtering Platform Packet Drop (Windows 10)
 description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
 ms.assetid: 95457601-68d1-4385-af20-87916ddab906
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@ -3,14 +3,14 @@ title: Audit Filtering Platform Policy Change (Windows 10)
 description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
 ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@ -3,14 +3,14 @@ title: Audit Group Membership (Windows 10)
 description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
 ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@ -3,14 +3,14 @@ title: Audit Handle Manipulation (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
 ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@ -3,14 +3,14 @@ title: Audit IPsec Driver (Windows 10)
 description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
 ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@ -3,14 +3,14 @@ title: Audit IPsec Extended Mode (Windows 10)
 description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
 ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@ -3,14 +3,14 @@ title: Audit IPsec Main Mode (Windows 10)
 description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
 ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@ -3,14 +3,14 @@ title: Audit IPsec Quick Mode (Windows 10)
 description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
 ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@ -3,14 +3,14 @@ title: Audit Kerberos Authentication Service (Windows 10)
 description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
 ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@ -3,14 +3,14 @@ title: Audit Kerberos Service Ticket Operations (Windows 10)
 description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
 ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@ -3,14 +3,14 @@ title: Audit Kernel Object (Windows 10)
 description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
 ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@ -3,14 +3,14 @@ title: Audit Logoff (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
 ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@ -3,14 +3,14 @@ title: Audit Logon (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
 ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@ -3,14 +3,14 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
 description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
 ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@ -3,14 +3,14 @@ title: Audit Network Policy Server (Windows 10)
 description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
 ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@ -3,14 +3,14 @@ title: Audit Non-Sensitive Privilege Use (Windows 10)
 description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
 ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@ -3,14 +3,14 @@ title: Audit Other Account Logon Events (Windows 10)
 description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
 ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@ -3,14 +3,14 @@ title: Audit Other Account Management Events (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
 ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@ -3,14 +3,14 @@ title: Audit Other Logon/Logoff Events (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
 ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@ -3,14 +3,14 @@ title: Audit Other Object Access Events (Windows 10)
 description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
 ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@ -3,14 +3,14 @@ title: Audit Other Policy Change Events (Windows 10)
 description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
 ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@ -3,14 +3,14 @@ title: Audit Other Privilege Use Events (Windows 10)
 description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
 ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@ -3,14 +3,14 @@ title: Audit Other System Events (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
 ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@ -3,14 +3,14 @@ title: Audit PNP Activity (Windows 10)
 description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
 ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@ -3,14 +3,14 @@ title: Audit Process Creation (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
 ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 03/16/2022
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@ -3,14 +3,14 @@ title: Audit Process Termination (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
 ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@ -3,14 +3,14 @@ title: Audit Registry (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
 ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 01/05/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@ -3,14 +3,14 @@ title: Audit Removable Storage (Windows 10)
 description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
 ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@ -3,14 +3,14 @@ title: Audit RPC Events (Windows 10)
 description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
 ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@ -3,14 +3,14 @@ title: Audit SAM (Windows 10)
 description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
 ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
 ms.reviewer: 
-manager: dansimp
+manager: aaroncz
-ms.author: dansimp
+ms.author: vinpa
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
-author: dansimp
+author: vinaypamnani-msft
 ms.date: 09/06/2021
 ms.technology: windows-sec
 ---
--- a/Show More
+++ b/Show More