Merge branch 'public' into RTB-Update

2025-05-14 06:17:22 +00:00 · 2021-06-29 10:14:42 +01:00 · 2021-06-29 10:14:42 +01:00 · 86bcbc2db6
commit 86bcbc2db6
parent 730d0f752c f99213dffe
150 changed files with 3155 additions and 86253 deletions
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@ -129,20 +129,6 @@
      "build_entry_point": "docs",
      "template_folder": "_themes"
    },
    {
      "docset_name": "SV",
      "build_source_folder": "windows/sv",
      "build_output_subfolder": "SV",
      "locale": "en-us",
      "monikers": [],
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "Conceptual": "Content"
      },
      "build_entry_point": "docs",
      "template_folder": "_themes"
    },
    {
      "docset_name": "win-access-protection",
      "build_source_folder": "windows/access-protection",
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -18919,6 +18919,11 @@
      "source_path": "windows/security/threat-protection/device-control/device-control-report.md",
      "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report",
      "redirect_document_id": false
-    }    
+    }, 
    {
      "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md",
      "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows",
      "redirect_document_id": false
    }        
 	    ]
 }
--- a/browsers/internet-explorer/TOC.yml
+++ b/browsers/internet-explorer/TOC.yml
@ -356,6 +356,6 @@
    - name: KB Troubleshoot
      items: 
        - name: Internet Explorer and Microsoft Edge FAQ for IT Pros
-          href: kb-support/ie-edge-faqs.md
+          href: kb-support/ie-edge-faqs.yml
 - name: Microsoft Edge and Internet Explorer troubleshooting
  href: /troubleshoot/browsers/welcome-browsers
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@ -1,220 +0,0 @@
 ---
 title: IE and Microsoft Edge FAQ for IT Pros
 description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. 
 audience: ITPro
 manager: msmets
 author: ramakoni1
 ms.author: ramakoni
 ms.reviewer: ramakoni, DEV_Triage
 ms.prod: internet-explorer
 ms.technology:
 ms.topic: kb-support
 ms.custom: CI=111020
 ms.localizationpriority: medium
 ms.date: 01/23/2020
 ---
 # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
 ## Cookie-related questions
 ### What is a cookie?
 An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
 ### How does Internet Explorer handle cookies?
 For more information about how Internet Explorer handles cookies, see the following articles:
 - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
 - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
 - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
 - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
 - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
 ### Where does Internet Explorer store cookies?
 To see where Internet Explorer stores its cookies, follow these steps:
 1. Start File Explorer.
 2. Select **Views** \> **Change folder and search options**.
 3. In the **Folder Options** dialog box, select **View**.
 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
 5. Clear **Hide protected operation system files (Recommended)**.
 6. Select **Apply**.
 7. Select **OK**.
 The following are the folder locations where the cookies are stored:
 **In Windows 10**  
 C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
 **In Windows 8 and Windows 8.1**  
 C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
 **In Windows 7**  
 C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies  
 C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
 ### What is the per-domain cookie limit?
 Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
 There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
 The JavaScript limitation was updated to 10 KB from 4 KB.
 For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
 #### Additional information about cookie limits
 **What does the Cookie RFC allow?**  
 RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
 - At least 300 cookies total
 - At least 20 cookies per unique host or domain name
 For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
 ### Cookie size limit per domain
 Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
 ## Proxy Auto Configuration (PAC)-related questions
 ### Is an example Proxy Auto Configuration (PAC) file available?
 Here is a simple PAC file:
 ```vb
 function FindProxyForURL(url, host)
 {
 return "PROXY proxyserver:portnumber";
 }
 ```
 > [!NOTE]
 > The previous PAC always returns the **proxyserver:portnumber** proxy.
 For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
 **Third-party information disclaimer**  
 The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
 ### How to improve performance by using PAC scripts
 - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr)
 - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/)
 ## Other questions
 ### How to set home and start pages in Microsoft Edge and allow user editing
 For more information, see the following blog article:
 [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/)
 ### How to add sites to the Enterprise Mode (EMIE) site list
 For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
 ### What is Content Security Policy (CSP)?
 By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
 Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
 CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
 For more information, see the following articles:
 - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
 - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
 ### Where to find Internet Explorer security zones registry entries
 Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
 This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
 The default Zone Keys are stored in the following locations:
 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
 ### Why don't HTML5 videos play in Internet Explorer 11?
 To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
 - 0 (the default value): Allow
 - 3: Disallow
 This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
 For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
 For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
 For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
 ### What is the Enterprise Mode Site List Portal?
 This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
 ### What is Enterprise Mode Feature?
 For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
 ### Where can I obtain a list of HTTP Status codes?
 For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
 ### What is end of support for Internet Explorer 11?
 Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
 For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
 ### How to configure TLS (SSL) for Internet Explorer
 For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
 ### What is Site to Zone?
 Site to Zone usually refers to one of the following:
 **Site to Zone Assignment List**  
 This is a Group Policy policy setting that can be used to add sites to the various security zones.
 The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
 - Intranet zone
 - Trusted Sites zone
 - Internet zone
 - Restricted Sites zone
 If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
 **Site to Zone Mapping**  
 Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
 - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
 **Site to Zone Assignment List policy**  
 This policy setting is available for both Computer Configuration and User Configuration:
 - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
 - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
 **References**  
 [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
 ### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
 For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
 ### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
 The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
 For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
@ -0,0 +1,245 @@
 ### YamlMime:FAQ
 metadata:
  title: IE and Microsoft Edge FAQ for IT Pros
  description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. 
  audience: ITPro
  manager: msmets
  author: ramakoni1
  ms.author: ramakoni
  ms.reviewer: ramakoni, DEV_Triage
  ms.prod: internet-explorer
  ms.technology:
  ms.topic: kb-support
  ms.custom: CI=111020
  ms.localizationpriority: medium
  ms.date: 01/23/2020
 title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
 summary: |
 sections:
  - name: Cookie-related questions
    questions:
      - question: |
          What is a cookie?
        answer: |
          An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
      - question: |
          How does Internet Explorer handle cookies?
        answer: |
          For more information about how Internet Explorer handles cookies, see the following articles:
          - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
          - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
          - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
          - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
          - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
      - question: |
          Where does Internet Explorer store cookies?
        answer: |
          To see where Internet Explorer stores its cookies, follow these steps:
          1. Start File Explorer.
          2. Select **Views** \> **Change folder and search options**.
          3. In the **Folder Options** dialog box, select **View**.
          4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
          5. Clear **Hide protected operation system files (Recommended)**.
          6. Select **Apply**.
          7. Select **OK**.
          The following are the folder locations where the cookies are stored:
          **In Windows 10**  
          C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
          **In Windows 8 and Windows 8.1**  
          C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
          **In Windows 7**  
          C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies  
          C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
      - question: |
          What is the per-domain cookie limit?
        answer: |
          Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
          There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
          The JavaScript limitation was updated to 10 KB from 4 KB.
          For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
  - name: Additional information about cookie limits
    questions:
      - question: |
          What does the Cookie RFC allow?
        answer: |
          RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
          - At least 300 cookies total
          - At least 20 cookies per unique host or domain name
          For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
      - question: |
          Cookie size limit per domain
        answer: |
          Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
  - name: Proxy Auto Configuration (PAC)-related questions
    questions:
      - question: |
          Is an example Proxy Auto Configuration (PAC) file available?
        answer: |
          Here is a simple PAC file:
          ```vb
          function FindProxyForURL(url, host)
          {
           return "PROXY proxyserver:portnumber";
          }
          ```
          > [!NOTE]
          > The previous PAC always returns the **proxyserver:portnumber** proxy.
          For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
          **Third-party information disclaimer**  
          The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
      - question: |
          How to improve performance by using PAC scripts
        answer: |
          - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490)
          - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance)
  - name: Other questions
    questions:
      - question: |
          How to set home and start pages in Microsoft Edge and allow user editing
        answer: |
          For more information, see the following blog article:
          [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6)
      - question: |
          How to add sites to the Enterprise Mode (EMIE) site list
        answer: |
          For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
      - question: |
          What is Content Security Policy (CSP)?
        answer: |
          By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
          Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
          CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
          For more information, see the following articles:
          - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
          - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
      - question: |
          Where to find Internet Explorer security zones registry entries
        answer: |
          Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
          This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
          The default Zone Keys are stored in the following locations:
          - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
          - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
      - question: |
          Why don't HTML5 videos play in Internet Explorer 11?
        answer: |
          To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
          - 0 (the default value): Allow
          - 3: Disallow
          This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
          For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
          For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
          For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
      - question: |
          What is the Enterprise Mode Site List Portal?
        answer: |
          This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
      - question: |
          What is Enterprise Mode Feature?
        answer: |
          For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
      - question: |
          Where can I obtain a list of HTTP Status codes?
        answer: |
          For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
      - question: |
          What is end of support for Internet Explorer 11?
        answer: |
          Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
          For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
      - question: |
          How to configure TLS (SSL) for Internet Explorer
        answer: |
          For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
      - question: |
          What is Site to Zone?
        answer: |
          Site to Zone usually refers to one of the following:
          **Site to Zone Assignment List**  
          This is a Group Policy policy setting that can be used to add sites to the various security zones.
          The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
          - Intranet zone
          - Trusted Sites zone
          - Internet zone
          - Restricted Sites zone
          If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
          **Site to Zone Mapping**  
          Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
          - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
          - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
          **Site to Zone Assignment List policy**  
          This policy setting is available for both Computer Configuration and User Configuration:
          - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
          - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
          **References**  
          [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
      - question: |
          What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
        answer: |
          For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
      - question: |
          What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
        answer: |
          The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
          For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@ -18,12 +18,12 @@ ms.date: 03/10/2021
 # Add unsigned app to code integrity policy
 > [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
 >
 > Following are the major changes we are making to the service: 
 > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
 > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). 
-> -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+> -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
 >
 > The following functionality will be available via these PowerShell cmdlets:
 > - Get a CI policy
@ -117,4 +117,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr
     When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
-7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
+7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@ -18,12 +18,12 @@ ms.date: 10/17/2017
 # Device Guard signing
 > [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
 >
 > Following are the major changes we are making to the service: 
 > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
 > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). 
-> -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+> -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
 >
 > The following functionality will be available via these PowerShell cmdlets:
 > - Get a CI policy
@ -32,7 +32,7 @@ ms.date: 10/17/2017
 > - Download root cert
 > - Download history of your signing operations 
 >
-> For any questions, please contact us at DGSSMigration@microsoft.com.  
+> For any questions, please contact us at DGSSMigration@microsoft.com. 
 **Applies to**
@ -72,4 +72,4 @@ Catalog and policy files have required files types.
 Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
 ## Device Guard signing certificates
-All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.
+All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@ -18,12 +18,12 @@ ms.date: 10/17/2017
 # Sign code integrity policy with Device Guard signing
 > [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
 >
 > Following are the major changes we are making to the service: 
 > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
 > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). 
-> -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+> -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
 >
 > The following functionality will be available via these PowerShell cmdlets:
 > - Get a CI policy
@ -58,4 +58,4 @@ Before you get started, be sure to review these best practices:
 4.  After the files are uploaded, click **Sign** to sign the code integrity policy.
 5.  Click **Download** to download the signed code integrity policy.
-    When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy.
+    When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy.
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r
 metadata:
  title: Windows application management  # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars.
+  description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.subservice: subservice
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@ -0,0 +1,53 @@
 ---
 title: Language Pack Management CSP
 description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10.
 ms.reviewer: 
 manager: dansimp
 ms.author: v-nsatapathy
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.date: 06/22/2021
 ---
 # Language Pack Management CSP
 The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings.
 1. Enumerate installed languages with GET command on the "InstalledLanguages" node
    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** 
   The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). 
    - Indicates the language pack installed is a System Language Pack (non-LXP)
    - Indicates that the LXP is installed.
    - Indicates that both are installed.
 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, 
    **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
    **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
    The installation is an asynchronous operation. You can query the **Status** node by using the following commands: 
    **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
    **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
    Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
    > [!NOTE]
    > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail.  
 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
   **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)**
 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
   **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
--- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md
@ -14,7 +14,7 @@ ms.date: 06/26/2017
 # Certificate authentication device enrollment
-This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
 > [!Note]
 > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
@ -31,7 +31,7 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
 The following example shows the discovery service request.
-``` syntax
+```xml
 POST /EnrollmentServer/Discovery.svc HTTP/1.1
 Content-Type: application/soap+xml; charset=utf-8
 User-Agent: Windows Enrollment Client
@ -60,7 +60,7 @@ Cache-Control: no-cache
            <EmailAddress>user@contoso.com</EmailAddress>
            <OSEdition>101</OSEdition> <!--New in Windows 10-->
            <OSVersion>10.0.0.0</OSVersion> <!--New in Windows 10-->
-            <RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->
+            <RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->   
            <ApplicationVersion>10.0.0.0</ApplicationVersion>
            <AuthPolicies>Certificate</AuthPolicies> <!--New in Windows 10-->
         </request> 
@ -71,7 +71,7 @@ Cache-Control: no-cache
 The following example shows the discovery service response.
-```
+```xml
 HTTP/1.1 200 OK
 Content-Length: 865
 Content-Type: application/soap+xml; charset=utf-8
@ -111,7 +111,7 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer
 The following example shows the policy web service request.
-```
+```xml
 POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1
 Content-Type: application/soap+xml; charset=utf-8
 User-Agent: Windows Enrollment Client
@ -183,7 +183,7 @@ Cache-Control: no-cache
 The following snippet shows the policy web service response.
-```
+```xml
 HTTP/1.1 200 OK
 Date: Fri, 03 Aug 2012 20:00:00 GMT
 Server: <server name here>
@ -261,7 +261,7 @@ Content-Length: xxxx
 The following example shows the enrollment web service request.
-```
+```xml
 POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1
 Content-Type: application/soap+xml; charset=utf-8
 User-Agent: Windows Enrollment Client
@ -369,7 +369,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
 The following example shows the enrollment web service response.
-```
+```xml
 HTTP/1.1 200 OK
 Cache-Control: private
 Content-Length: 10231
@ -422,7 +422,7 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT
 The following example shows the encoded provisioning XML.
-```
+```xml
 <wap-provisioningdoc version="1.1">
   <characteristic type="CertificateStore">
      <characteristic type="Root">
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -71,7 +71,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -97,7 +97,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -123,7 +123,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -149,7 +149,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -201,7 +201,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -227,7 +227,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -253,7 +253,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -305,7 +305,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -331,7 +331,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -358,7 +358,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
@ -384,7 +384,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -410,7 +410,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -436,7 +436,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -462,7 +462,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -514,7 +514,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -540,7 +540,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -566,7 +566,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -592,7 +592,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -618,7 +618,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -644,7 +644,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -670,7 +670,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -722,7 +722,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -748,7 +748,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -774,7 +774,6 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -802,7 +801,6 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -829,7 +827,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -882,7 +880,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -934,7 +932,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -960,7 +958,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1012,7 +1010,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1037,9 +1035,9 @@ Additional lists:
 </tr>
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" />
-<a href="https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management#integration-with-windows-information-protection">Only for mobile application management (MAM)</td>
+<a href="/windows/client-management/mdm/implement-server-side-mobile-application-management#integration-with-windows-information-protection">Only for mobile application management (MAM)</td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1065,10 +1063,9 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
@ -1092,7 +1089,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1118,7 +1115,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1144,7 +1141,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1168,7 +1165,7 @@ Additional lists:
 	<th>Mobile</th>
 </tr>
 <tr>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
@ -1196,10 +1193,10 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
 </tr>
 </table>
@ -1248,7 +1245,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1274,7 +1271,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1284,6 +1281,33 @@ Additional lists:
 <!--EndSKU-->
 <!--EndCSP-->
 <!--StartCSP-->
 [LanguagePackManagement CSP](language-pack-management-csp.md)
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--EndCSP-->
 <!--StartCSP-->
 [Maps CSP](maps-csp.md)
@ -1300,7 +1324,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1378,7 +1402,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1404,7 +1428,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1482,7 +1506,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1534,7 +1558,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1560,7 +1584,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1586,7 +1610,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1638,7 +1662,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1664,7 +1688,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1688,12 +1712,12 @@ Additional lists:
 	<th>Mobile</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
 </tr>
 </table>
@ -1716,7 +1740,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1742,7 +1766,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1768,7 +1792,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1794,7 +1818,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1820,7 +1844,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1846,7 +1870,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1872,7 +1896,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1898,7 +1922,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1924,7 +1948,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1950,7 +1974,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -1976,7 +2000,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2002,7 +2026,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2028,7 +2052,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2159,7 +2183,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2185,7 +2209,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2211,7 +2235,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2237,7 +2261,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2290,7 +2314,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2316,7 +2340,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2368,7 +2392,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2421,7 +2445,7 @@ Additional lists:
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2447,7 +2471,7 @@ Additional lists:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2503,7 +2527,6 @@ Additional lists:
 	<td></td>
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td></td>
 </tr>
 </table>
@ -2555,7 +2578,7 @@ The following list shows the CSPs supported in HoloLens devices:
 [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
 | [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
 | [RemoteFind CSP](remotefind-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [RemoteWipe CSP](remotewipe-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
 | [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
 | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
 | [Update CSP](update-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
@ -2627,6 +2650,8 @@ The following list shows the CSPs supported in HoloLens devices:
 <hr>
 Footnotes:
 - A - Only for mobile application management (MAM).
 - B - Provisioning only.
 - 1 - Added in Windows 10, version 1607.
 - 2 - Added in Windows 10, version 1703.
 - 3 - Added in Windows 10, version 1709.
@ -2636,4 +2661,5 @@ The following list shows the CSPs supported in HoloLens devices:
 - 7 - Added in Windows 10, version 1909.
 - 8 - Added in Windows 10, version 2004.
 - 9 - Added in Windows 10 Team 2020 Update
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
+- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -8,9 +8,9 @@ ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: manikadhiman
+author: dansimp
 ms.localizationpriority: medium
-ms.date: 08/11/2020
+ms.date: 06/23/2021
 ---
 # Defender CSP
@ -56,9 +56,12 @@ Defender
 --------TamperProtectionEnabled (Added in Windows 10, version 1903)
 --------IsVirtualMachine (Added in Windows 10, version 1903)
 ----Configuration (Added in Windows 10, version 1903)
--------TamperProetection (Added in Windows 10, version 1903)
+--------TamperProtection (Added in Windows 10, version 1903)
--------EnableFileHashcomputation (Added in Windows 10, version 1903)
+--------EnableFileHashComputation (Added in Windows 10, version 1903)
 --------SupportLogLocation (Added in the next major release of Windows 10)
 --------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 --------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 --------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 ----Scan
 ----UpdateSignature
 ----OfflineScan (Added in Windows 10 version 1803)
@ -94,11 +97,11 @@ The data type is integer.
 The following list shows the supported values:
-   0 = Unknown
+- 0 = Unknown
-   1 = Low
+- 1 = Low
-   2 = Moderate
+- 2 = Moderate
-   4 = High
+- 4 = High
-   5 = Severe
+- 5 = Severe
 Supported operation is Get.
@ -171,17 +174,17 @@ The data type is integer.
 The following list shows the supported values:
-   0 = Active
+- 0 = Active
-   1 = Action failed
+- 1 = Action failed
-   2 = Manual steps required
+- 2 = Manual steps required
-   3 = Full scan required
+- 3 = Full scan required
-   4 = Reboot required
+- 4 = Reboot required
-   5 = Remediated with noncritical failures
+- 5 = Remediated with noncritical failures
-   6 = Quarantined
+- 6 = Quarantined
-   7 = Removed
+- 7 = Removed
-   8 = Cleaned
+- 8 = Cleaned
-   9 = Allowed
+- 9 = Allowed
-   10 = No Status ( Cleared)
+- 10 = No Status ( Cleared)
 Supported operation is Get.
@ -491,7 +494,7 @@ Supported operations are Add, Delete, Get, Replace.
 <a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**  
 Enables or disables file hash computation feature.
-When this feature is enabled Windows defender will compute hashes for files it scans.
+When this feature is enabled Windows Defender will compute hashes for files it scans.
 The data type is integer.
@ -518,9 +521,75 @@ When enabled or disabled exists on the client and admin moves the setting to not
 More details:  
- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)  
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)  
 - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)  
 <a href="" id="configuration-supportloglocation"></a>**Configuration/PlatformUpdatesChannel**
 Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
 Valid values are:
 - 0: Not configured (Default)
 - 1: Beta Channel - Prerelease
 - 2: Current Channel (Preview)
 - 3: Current Channel (Staged)
 - 4: Current Channel (Broad)
 <a href="" id="configuration-supportloglocation"></a>**Configuration/EngineUpdatesChannel**
 Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
 Valid values are:
 - 0 - Not configured (Default)
 - 1 - Beta Channel - Prerelease
 - 2 - Current Channel (Preview)
 - 3 - Current Channel (Staged)
 - 4 - Current Channel (Broad)
 <a href="" id="configuration-supportloglocation"></a>**Configuration/SignaturesUpdatesChannel** 
 Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
 Valid Values are:
 - 0: Not configured (Default)
 - 3: Current Channel (Staged)
 - 4: Current Channel (Broad)
 <a href="" id="scan"></a>**Scan**  
 Node that can be used to start a Windows Defender scan on a device.
@ -542,4 +611,4 @@ Supported operations are Get and Execute.
 ## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@ -10,7 +10,6 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
 ms.date: 08/11/2020
 ---
 # Defender DDF file
@ -757,6 +756,7 @@ The XML below is the current version for this CSP.
              </DFType>
            </DFProperties>
          </Node>
          <Node>
        </Node>
        <Node>
          <NodeName>Scan</NodeName>
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@ -189,7 +189,7 @@ The XML below is the current version for this CSP.
          <MIME>text/plain</MIME>
        </DFType>
      </DFProperties>
-    </Node> 
+    </Node>
    <Node>
      <NodeName>HwV</NodeName>
      <DFProperties>
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@ -9,7 +9,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 04/30/2019
+ms.date: 06/25/2021
 ---
 # DeviceStatus CSP
@ -150,8 +150,8 @@ Node for the compliance query.
 <a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**  
 Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following:
-   0 - not encrypted
+-   0 - Not encrypted
-   1 - encrypted
+-   1 - Encrypted
 Supported operation is Get.
@ -179,8 +179,8 @@ Supported operation is Get.
 Added in Windows, version 1803. Read only node that specifies the device mode.
 Valid values:  
-  0 - the device is in standard configuration
+-  0 - The device is in standard configuration
-  1 - the device is in S mode configuration
+-  1 - The device is in S mode configuration
 Supported operation is Get.
@ -211,10 +211,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
 Valid values:
-   0 – Antivirus is on and monitoring
+-   0 – Antivirus is on and monitoring.
-   1 – Antivirus is disabled
+-   1 – Antivirus is disabled.
-   2 – Antivirus is not monitoring the device/PC or some options have been turned off
+-   2 – Antivirus is not monitoring the device/PC or some options have been turned off.
-   3 (default) – Antivirus is temporarily not completely monitoring the device/PC
+-   3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
 -   4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
 Supported operation is Get.
@ -263,10 +263,10 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
 Valid values:
-   0 – Firewall is on and monitoring
+-   0 – Firewall is on and monitoring.
-   1 – Firewall has been disabled
+-   1 – Firewall has been disabled.
-   2 – Firewall is not monitoring all networks or some rules have been turned off
+-   2 – Firewall is not monitoring all networks or some rules have been turned off.
-   3 (default) – Firewall is temporarily not monitoring all networks
+-   3 (default) – Firewall is temporarily not monitoring all networks.
 -   4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
 Supported operation is Get.
@ -331,8 +331,8 @@ Added in Windows, version 1709. Virtualization-based security status.  Value is
 - 0 - Running
 - 1 - Reboot required 
 - 2 - 64 bit architecture required 
- 3 - not licensed 
+- 3 - Not licensed 
- 4 - not configured 
+- 4 - Not configured 
 - 5 - System doesn't meet hardware requirements 
 - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
@ -349,4 +349,4 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
 - 4 - VBS not running 
-Supported operation is Get.
+Supported operation is Get.
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -136,45 +136,45 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
  - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
  - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
  - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
-          - %windir%\\system32\\certutil.exe
+    - %windir%\\system32\\certutil.exe
-          - %windir%\\system32\\dxdiag.exe
+    - %windir%\\system32\\dxdiag.exe
-          - %windir%\\system32\\gpresult.exe
+    - %windir%\\system32\\gpresult.exe
-          - %windir%\\system32\\msinfo32.exe
+    - %windir%\\system32\\msinfo32.exe
-          - %windir%\\system32\\netsh.exe
+    - %windir%\\system32\\netsh.exe
-          - %windir%\\system32\\nltest.exe
+    - %windir%\\system32\\nltest.exe
-          - %windir%\\system32\\ping.exe
+    - %windir%\\system32\\ping.exe
-          - %windir%\\system32\\powercfg.exe
+    - %windir%\\system32\\powercfg.exe
-          - %windir%\\system32\\w32tm.exe
+    - %windir%\\system32\\w32tm.exe
-          - %windir%\\system32\\wpr.exe
+    - %windir%\\system32\\wpr.exe
-          - %windir%\\system32\\dsregcmd.exe
+    - %windir%\\system32\\dsregcmd.exe
-          - %windir%\\system32\\dispdiag.exe
+    - %windir%\\system32\\dispdiag.exe
-          - %windir%\\system32\\ipconfig.exe
+    - %windir%\\system32\\ipconfig.exe
-          - %windir%\\system32\\logman.exe
+    - %windir%\\system32\\logman.exe
-          - %windir%\\system32\\tracelog.exe
+    - %windir%\\system32\\tracelog.exe
-          - %programfiles%\\windows defender\\mpcmdrun.exe
+    - %programfiles%\\windows defender\\mpcmdrun.exe
-          - %windir%\\system32\\MdmDiagnosticsTool.exe
+    - %windir%\\system32\\MdmDiagnosticsTool.exe
-          - %windir%\\system32\\pnputil.exe
+    - %windir%\\system32\\pnputil.exe
 - **FoldersFiles**
  - Captures log files from a given path (without recursion).
  - Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
  - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
-          - %PROGRAMFILES%
+    - %PROGRAMFILES%
-          - %PROGRAMDATA%
+    - %PROGRAMDATA%
-          - %PUBLIC%
+    - %PUBLIC%
-          - %WINDIR%
+    - %WINDIR%
-          - %TEMP%
+    - %TEMP%
-          - %TMP%
+    - %TMP%
  - Additionally, only files with the following extensions are captured:
-          - .log
+    - .log
-          - .txt
+    - .txt
-          - .dmp
+    - .dmp
-          - .cab
+    - .cab
-          - .zip
+    - .zip
-          - .xml
+    - .xml
-          - .html
+    - .html
-          - .evtx
+    - .evtx
-          - .etl
+    - .etl
 <a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
 Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date:
+ms.date: 06/02/2021
 ms.reviewer:
 manager: dansimp
 ---
@ -18,9 +18,9 @@ Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto
 The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
 Requirements:
- AD-joined PC running Windows 10, version 1709 or later
+- Active Directory-joined PC running Windows 10, version 1709 or later
 - The enterprise has configured a mobile device management (MDM) service
- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
+- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
 - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
@ -128,7 +128,7 @@ Requirements:
    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
    > 
    > The default behavior for older releases is to revert to **User Credential**.
-    > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
+    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
@ -195,6 +195,8 @@ Requirements:
   - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
   - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
 2. Install the package on the Domain Controller.
 3. Navigate, depending on the version to the folder:
@ -211,6 +213,8 @@ Requirements:
   - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
   - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
 5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
@ -294,7 +298,7 @@ To collect Event Viewer logs:
 - [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
 ### Useful Links
-
+- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
 - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
 Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
 The following shows the EnterpriseDesktopAppManagement CSP in tree format.
 ```
 ./Device/Vendor/MSFT
 EnterpriseDesktopAppManagement
@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement
 --------UpgradeCode
 ------------Guid
 ```
 <a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
 The root node for the EnterpriseDesktopAppManagement configuration service provider.
@ -194,15 +196,15 @@ The following table describes the fields in the previous sample:
 The following table describes the fields in the previous sample:
-| Name   | Description                                                                                                                                                |
+| Name   | Description |
-|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|--------|-----------------------|
-| Get    | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.                                 |
+| Get    | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
-| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response.                              |
+| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
 | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
-**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.**
+**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.1">
@ -292,7 +294,8 @@ The following table describes the fields in the previous sample:
-> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at <https://technet.microsoft.com/library/cc759262(v=ws.10).aspx>.
+> [!Note]
 > Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
@ -401,7 +404,7 @@ The following table MsiInstallJob describes the schema elements.
 <td>Command-line options to be used when calling MSIEXEC.exe</td>
 </tr>
 <tr class="even">
-<td>Timeout</td>
+<td>TimeOut</td>
 <td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
 </tr>
 <tr class="odd">
@ -550,21 +553,18 @@ Here's a list of references:
 ```xml
 <Alert>
-       <CmdID>4</CmdID>
+   <CmdID>4</CmdID>
-       <Data>1224</Data>
+   <Data>1224</Data>
-       <Item>
+   <Item>
-          <Source>
+      <Source>
-             <LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
+         <LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
-          </Source>
+      </Source>
-          <Meta>
+      <Meta>
-             <Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
+         <Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
-             <Format xmlns="syncml:metinf">int</Format>
+         <Format xmlns="syncml:metinf">int</Format>
-             <Mark xmlns="syncml:metinf">informational</Mark>
+         <Mark xmlns="syncml:metinf">informational</Mark>
-          </Meta>
+      </Meta>
-          <Data>0</Data>
+      <Data>0</Data>
-       </Item>
+   </Item>
 </Alert>
 ```
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report
 - [HealthStatusMismatchFlags](#healthstatusmismatchflags)
 \*  TPM 2.0 only   
-**  Reports if Bitlocker was enabled during initial boot.    
+\*\*  Reports if BitLocker was enabled during initial boot.    
-*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.  
+\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.  
 Each of these are described in further detail in the following sections, along with the recommended actions to take.
@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w
 -   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-<a href="" id="bitlockerstatus"></a>**BitlockerStatus** (at boot time) 
+<a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time) 
-<p style="margin-left: 20px">When Bitlocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.</p>
+<p style="margin-left: 20px">When BitLocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.</p>
 <p style="margin-left: 20px">Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.</p>
@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as enabling VSM using WMI or a Powershell script.  
+-   Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.  
 <a href="" id="oskerneldebuggingenabled"></a>**OSKernelDebuggingEnabled**
 <p style="margin-left: 20px">OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.</p>
@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as enabling test signing using WMI or a Powershell script.
+-   Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
 <a href="" id="safemode"></a>**SafeMode**  
 <p style="margin-left: 20px">Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.</p>
@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/images/edit-row.png
+++ b/windows/client-management/mdm/images/edit-row.png
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -1371,6 +1371,7 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ## ADMX_ICM policies  
 <dl>
@ -6781,6 +6782,14 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### Language Pack Management CSP policies
 <dl>
  <dd>
    <a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
  </dd>
 </dl>
 ### Licensing policies
 <dl>
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@ -1838,15 +1838,15 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
-Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain.
+Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain.
 On domains with Active Directory, shared printer resources are available in Active Directory and are not announced.
-If you enable this setting, the print spooler announces shared printers to the print browse master servers.
+If you enable this setting, the print spooler announces shared printers to the print browse main servers.
-If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available.
+If you disable this setting, shared printers are not announced to print browse main servers, even if Active Directory is not available.
-If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available.
+If you do not configure this setting, shared printers are announced to browse main servers only when Active Directory is not available.
 > [!NOTE]
 > A client license is used each time a client computer announces a printer to a print browse master on the domain.
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@ -4521,7 +4521,7 @@ ADMX Info:
 <!--Description-->
 Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
-If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
+If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
 To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
@ -5356,4 +5356,4 @@ ADMX Info:
 > [!NOTE]
 > These policies are currently only available as part of a Windows Insider release.
-<!--/Policies-->
+<!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -542,7 +542,7 @@ Value type is integer. Supported values:
 > [!Warning]
 > This policy is in preview mode only and therefore not meant or recommended for production purposes.
-"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). 
+"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
 > [!Note]
 > Web Sign-in is only supported on Azure AD Joined PCs.
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@ -51,7 +51,7 @@ manager: dansimp
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
    <td>Business</td>
@ -115,7 +115,7 @@ The following list shows the supported values:
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
    <td>Business</td>
@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
    <td>Business</td>
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@ -30,6 +30,9 @@ ms.localizationpriority: medium
  <dd>
    <a href="#deviceinstallationallowinstallationofmatchingdevicesetupclasses">DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</a>
  </dd>
 <dd>
    <a href="#deviceinstallationenableinstallationpolicylayering">DeviceInstallation/EnableInstallationPolicyLayering</a>
  </dd>
  <dd>
    <a href="#deviceinstallationpreventdevicemetadatafromnetwork">DeviceInstallation/PreventDeviceMetadataFromNetwork</a>
  </dd>
@ -94,12 +97,22 @@ ms.localizationpriority: medium
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. 
+This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install. 
 > [!TIP]
-> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
+> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
-If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
 - Prevent installation of devices that match these device IDs
 - Prevent installation of devices that match any of these device instance IDs
 If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
 > [!NOTE]
 > The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
 Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
 If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
 If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
@ -203,17 +216,31 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
 > [!div class = "checklist"]
 > * Device
-
+Added in Windows 10, version 1903. Also available in Windows 10, version 1809.
 <hr/>
 <!--/Scope-->
 <!--Description-->
-Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install.
-If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+> [!TIP]
 > This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
 When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
 - Prevent installation of devices that match any of these device instance IDs
 If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
 > [!NOTE]
 > The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
 Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
 If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
 If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
 Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
 <!--/Description-->
@ -315,20 +342,30 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. 
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. 
 > [!TIP]
-> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
+> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
-If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
-This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID.
+- Prevent installation of devices for these device classes
 - Prevent installation of devices that match these device IDs
 - Prevent installation of devices that match any of these device instance IDs
 If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
 > [!NOTE]
 > The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
 Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
 If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
 If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
 Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -394,6 +431,133 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
 <hr/>
 <!--Policy-->
 ## DeviceInstallation/EnableInstallationPolicyLayering
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 Added in Windows 10, Version 2106
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
 Device instance IDs > Device IDs > Device setup class > Removable devices 
 **Device instance IDs**
 - Prevent installation of devices using drivers that match these device instance IDs.
 - Allow installation of devices using drivers that match these device instance IDs.
 **Device IDs**
 - Prevent installation of devices using drivers that match these device IDs.
 - Allow installation of devices using drivers that match these device IDs.
 **Device setup class**
 - Prevent installation of devices using drivers that match these device setup classes.
 - Allow installation of devices using drivers that match these device setup classes.
 **Removable devices**
 - Prevent installation of removable devices.
 > [!NOTE]
 > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
 If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria*
 -   GP name: *DeviceInstall_Allow_Deny_Layered*
 -   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*
 <!--/ADMXBacked-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 ```xml
 <SyncML>
    <SyncBody>
        <Replace>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">string</Format>
                </Meta>
                <Data><enabled/><Data id="AllowDenyLayered" value="1"/></Data>;
                </Item>
        </Replace>
    </SyncBody>
 </SyncML>
 ```
 To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
 ```txt
 >>>  [Device Installation Restrictions Policy Check]
 >>>  Section start 2018/11/15 12:26:41.659
 <<<  Section end 2018/11/15 12:26:41.751
 <<<  [Exit status: SUCCESS]
 ```
 You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
 :::image type="content" source="images/edit-row.png" alt-text="This is a edit row image":::
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 ## DeviceInstallation/PreventDeviceMetadataFromNetwork
@ -519,9 +683,12 @@ ADMX Info:
 <!--Description-->
 This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.
-If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting.
+> [!NOTE]
 > This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
-If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
+If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
 If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
 <!--/Description-->
 > [!TIP]
@ -629,7 +796,10 @@ You can also block installation by using a custom profile in Intune.
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
 > [!NOTE]
 > To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
 If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
@ -873,9 +1043,12 @@ with
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
-If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+> [!NOTE]
 > To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
 If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
 If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 05/02/2021
 ms.reviewer: 
 manager: dansimp
 ---
@ -1045,9 +1045,7 @@ GP Info:
 <!--/RegistryMapped-->
 <!--SupportedValues-->
-Valid values:  
+Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
 - 0 - disabled 
 - 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
 <!--/SupportedValues-->
 <!--/Policy-->
@ -1243,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user
 If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
-Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+> [!NOTE]
 > Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
 Default: This policy is not defined, which means that the system treats it as No action.
@ -2459,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for
 This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
 > Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
 <!--/Description-->
 <!--RegistryMapped-->
@ -2537,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ
 This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
 > Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
 <!--/Description-->
 <!--RegistryMapped-->
@ -2615,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to
 This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
 > Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
 <!--/Description-->
 <!--RegistryMapped-->
@ -2899,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra
 The options are:
- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
      > [!NOTE]
      > Use this option only in the most constrained environments.
 - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@ -3170,11 +3174,12 @@ User Account Control: Only elevate UIAccess applications that are installed in s
 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
- â€¦\Program Files\, including subfolders
+- .\Program Files\, including subfolders
- â€¦\Windows\system32\
+- .\Windows\system32\
- â€¦\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows
-Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+> [!NOTE]
 > Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
 The options are:  
 - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
@ -3242,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode
 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
 The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
      > [!NOTE]
      > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
 - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
@ -3467,4 +3474,4 @@ Footnotes:
 - 7 - Available in Windows 10, version 1909.
 - 8 - Available in Windows 10, version 2004.
-<!--/Policies-->
+<!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@ -14,9 +14,6 @@ manager: dansimp
 # Policy CSP - LocalUsersAndGroups
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@ -719,7 +719,7 @@ ADMX Info:
 <!--/SupportedValues-->
 <!--Example-->
 Example for setting the device custom OMA-URI setting to enable this policy:  
-To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
+To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
 See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
 <!--/Example-->
@ -740,4 +740,4 @@ Footnotes:
 - 7 - Available in Windows 10, version 1909.
 - 8 - Available in Windows 10, version 2004.
-<!--/Policies-->
+<!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -49,6 +49,9 @@ manager: dansimp
  <dd>
    <a href="#system-allowtelemetry">System/AllowTelemetry</a>
  </dd>
  <dd>
    <a href="#system-allowUpdateComplianceProcessing">System/AllowUpdateComplianceProcessing</a>
  </dd>
  <dd>
    <a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
  </dd>
@ -736,12 +739,17 @@ The following list shows the supported values for Windows 8.1:
 </tbody>
 </table>-->
-In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10:  
+In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
-   0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. 
+
-    **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
+The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
-   1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
+-   0 – **Off (Security)** This turns Windows diagnostic data off.  
-   2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
+    **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
-   3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
+-   1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
 -   2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.  
    **Note**:  **Enhanced** is no longer an option for Windows Holographic, version 21H1.
 -   3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
 Most restrictive value is 0.
 <!--<table style="margin-left: 20px">
 <colgroup>
@ -772,13 +780,6 @@ In Windows 10, you can configure this policy setting to decide what level of dia
 </tbody>
 </table>-->
 > [!IMPORTANT]
 > If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
 Most restricted value is 0.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@ -791,6 +792,77 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="system-allowUpdateComplianceProcessing"></a>**System/AllowUpdateComplianceProcessing**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.  
 If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
 If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Allow Update Compliance Processing*
 -   GP name: *AllowUpdateComplianceProcessing*
 -   GP element: *AllowUpdateComplianceProcessing*
 -   GP path: *Data Collection and Preview Builds*
 -   GP ADMX file name: *DataCollection.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 - Disabled.
 -   16 - Enabled.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
@ -852,6 +924,7 @@ The following list shows the supported values:
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**  
@ -1607,14 +1680,16 @@ This policy setting, in combination with the System/AllowTelemetry
 policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. 
 To enable this behavior, you must complete two steps:
-<ul>
+
-<li>Enable this policy setting</li>
+-   Enable this policy setting
-<li>Set Allow Telemetry to level 2 (Enhanced)</li>
+-   Set the **AllowTelemetry** level:
-</ul>
+    - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1)
    - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
 When you configure these policy settings, a basic level of  diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: <a href="/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields" data-raw-source="[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)">Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics</a>.
-Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
+Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
 If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
@ -1778,5 +1853,7 @@ Footnotes:
 - 6 - Available in Windows 10, version 1903.
 - 7 - Available in Windows 10, version 1909.
 - 8 - Available in Windows 10, version 2004.
 - 9 - Available in Windows 10, version 20H2.
 - 10 - Available in Windows 10, version 21H1.
-<!--/Policies-->
+<!--/Policies-->
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@ -725,7 +725,7 @@ The XML below is the DDF for the current version for this CSP.
          <Node>
            <NodeName>LocMasterSwitchDependencyNII</NodeName>
            <DFProperties>
-              <AccessType>
+              <AccessType>-
                <Get />
                <Replace />
              </AccessType>
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@ -61,9 +61,9 @@ SurfaceHub
 --------SleepTimeout
 --------AllowSessionResume
 --------AllowAutoProxyAuth
 --------ProxyServers
 --------DisableSigninSuggestions
 --------DoNotShowMyMeetingsAndFiles
 ----ProxyServers
 ----Management
 --------GroupName
 --------GroupSid
@ -571,6 +571,11 @@ SurfaceHub
 <p style="margin-left: 20px">If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
 <p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
 <a href="" id="properties-proxyservers"></a>**Properties/ProxyServers**
 <p style="margin-left: 20px">Added in <a href="https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142" data-raw-source="[KB4499162](https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142)">KB4499162</a> for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
 <p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
 <a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions**
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@ -17,7 +17,7 @@ ms.date: 02/23/2018
 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
 > [!NOTE]
-> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
+> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
 The following shows the Update configuration service provider in tree format.
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
 The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
 > [!NOTE]  
 > Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
 <a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>  
 A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 <a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid-webproxyservers"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>**/WebProxyServers**  
 Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.
-> [!NOTE]
+> [!NOTE]  
-> Currently only one web proxy server is supported.
+> Currently only one web proxy server is supported.  
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@ -1600,4 +1603,3 @@ Servers
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@ -531,7 +531,7 @@ To distribute an app offline (organization-managed), the app must be downloaded
 To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Microsoft Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required.
-Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
+Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 edition.
 For more information, see [Microsoft Store for Business](/microsoft-store/index).
@ -786,14 +786,12 @@ Update availability depends on what servicing option you choose for the device.
 <td align="left">Immediately after the Feature Update is published to Windows Update by Microsoft</td>
 <td align="left">Microsoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer)</td>
 <td align="left">Makes new features available to users as soon as possible</td>
 <td align="left">Mobile &amp; Mobile Enterprise</td>
 </tr>
 <tr class="even">
 <td align="left"><strong>Current Branch for Business (CBB)</strong></td>
 <td align="left">A minimum of four months after the corresponding Feature Update is first published to Windows Update by Microsoft</td>
 <td align="left">A minimum of four months, though it potentially can be longerNo</td>
 <td align="left">Provides additional time to test new feature before deployment</td>
 <td align="left">Mobile Enterprise only</td>
 </tr>
 </tbody>
 </table>
@ -802,11 +800,11 @@ Update availability depends on what servicing option you choose for the device.
 *Applies to: Corporate devices*
-While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 Mobile Enterprise edition.
+While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 edition.
-Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to:
+Upgrading to Windows 10 edition provides additional device and app management capabilities for organizations that want to:
-   **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released.
+-   **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released.
-   **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required.
+-   **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 is required.
 -   **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered.
 To learn more about diagnostic, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
@ -980,7 +978,7 @@ This is a list of attributes that are supported by DHA and can trigger the corre
 -   **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).
 -   **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).
 -   **Secure Boot Configuration Policy (SBCP) present** Specifies whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.
-   **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant.
+-   **Boot cycle allow list** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant.
 #### Example scenario
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@ -117,7 +117,7 @@
      items:
        - name: Set up and test Cortana in Windows 10, version 2004 and later
          href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
-        - name: Testing scenarios using Cortana in your business or organization
+        - name: Cortana at work testing scenarios
          href: cortana-at-work/cortana-at-work-testing-scenarios.md
        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
          href: cortana-at-work/cortana-at-work-scenario-1.md
@ -138,7 +138,7 @@
        - name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
          href: cortana-at-work/cortana-at-work-o365.md
        - name: Testing scenarios using Cortana in your business or organization
-          href: cortana-at-work/cortana-at-work-testing-scenarios.md
+          href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
          href: cortana-at-work/test-scenario-1.md
        - name: Test scenario 2 - Perform a quick search with Cortana at work
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@ -1,31 +1,25 @@
 ---
-title: Testing scenarios using Cortana in your business or organization (Windows 10)
+title: Cortana at work testing scenarios
-description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
+description: Suggested testing scenarios that you can use to test Cortana in your organization.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: greg-lindsay
 ms.localizationpriority: medium
 ms.author: greglin
-ms.date: 10/05/2017
+ms.date: 06/28/2021
 ms.reviewer: 
 manager: dansimp
 ---
-# Testing scenarios using Cortana in your business or organization
+# Cortana at work testing scenarios
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
 - [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
 - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
 - [Set a reminder](cortana-at-work-scenario-3.md)
 - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
 - [Find out about a person](cortana-at-work-scenario-5.md)
 - [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md)
 - [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -1,11 +1,11 @@
- name: Deploy and update Windows 10
+- name: Deploy and update Windows client
  href: index.yml
  items: 
    - name: Get started
      items: 
        - name: What's new
          href: deploy-whats-new.md
-        - name: Windows 10 deployment scenarios
+        - name: Windows client deployment scenarios
          href: windows-10-deployment-scenarios.md
        - name: What is Windows as a service?
          href: update/waas-quick-start.md
@ -33,6 +33,8 @@
    - name: Plan
      items:
        - name: Plan for Windows 11
          href: /windows/whats-new/windows-11-plan
        - name: Create a deployment plan
          href: update/create-deployment-plan.md
        - name: Define readiness criteria
@ -67,6 +69,8 @@
    - name: Prepare
      items: 
        - name: Prepare for Windows 11
          href: /windows/whats-new/windows-11-prepare
        - name: Prepare to deploy Windows 10 updates
          href: update/prepare-deploy-windows.md
        - name: Evaluate and update infrastructure
@ -96,11 +100,11 @@
    - name: Deploy
      items: 
-        - name: Deploy Windows 10
+        - name: Deploy Windows client
          items:
-            - name: Deploy Windows 10 with Autopilot
+            - name: Deploy Windows client with Autopilot
              href: windows-autopilot/index.yml
-            - name: Deploy Windows 10 with Configuration Manager
+            - name: Deploy Windows client with Configuration Manager
              items:
                - name: Deploy to a new device
                  href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@ -110,7 +114,7 @@
                  href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
                - name: In-place upgrade
                  href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
-            - name: Deploy Windows 10 with MDT
+            - name: Deploy Windows client with MDT
              items:
                - name: Deploy to a new device
                  href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -193,6 +197,8 @@
                    href: update/update-compliance-configuration-script.md
                  - name: Manually configuring devices for Update Compliance
                    href: update/update-compliance-configuration-manual.md
                  - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager
                    href: update/update-compliance-configuration-mem.md
              - name: Update Compliance monitoring
                items: 
                  - name: Use Update Compliance
@ -261,6 +267,8 @@
      items:
        - name: How does Windows Update work?
          href: update/how-windows-update-works.md
        - name: Windows 10 upgrade paths
          href: upgrade/windows-10-upgrade-paths.md
        - name: Deploy Windows 10 with Microsoft 365
          href: deploy-m365.md
        - name: Understanding the Unified Update Platform
@ -541,4 +549,4 @@
                  href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
        - name: Install fonts in Windows 10
-          href: windows-10-missing-fonts.md
+          href: windows-10-missing-fonts.md
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@ -1,9 +1,9 @@
 ---
-title: What's new in Windows 10 deployment
+title: What's new in Windows client deployment
 ms.reviewer: 
 manager: laurawi
 ms.author: greglin
-description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization.
+description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
 keywords: deployment, automate, tools, configure, news
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
@ -16,19 +16,25 @@ ms.topic: article
 ms.custom: seo-marvel-apr2020
 ---
-# What's new in Windows 10 deployment
+# What's new in Windows client deployment
 **Applies to:**
 - Windows 10
 - Windows 11
 ## In this topic
-This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
+This topic provides an overview of new solutions and online content related to deploying Windows client in your organization.
 - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
 ## Latest news
 Check out the following new articles about Windows 11:
 - [Overview of Windows 11](/windows/whats-new/windows-11)
 - [Plan for Windows 11](/windows/whats-new/windows-11-plan)
 - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
 [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.<br>
 The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.<br>
 New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -50,7 +50,7 @@ On **DC01**:
 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
   ```powershell
-   New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true 
+   New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true 
   ```
 3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
@ -369,9 +369,9 @@ On **MDT01**:
 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
   1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
-       - Name: Set DriverGroup001
+       1.  Name: Set DriverGroup001
-       - Task Sequence Variable: DriverGroup001
+       2.  Task Sequence Variable: DriverGroup001
-       - Value: Windows 10 x64\\%Make%\\%Model%
+       3.  Value: Windows 10 x64\\%Manufacturer%\\%Model%
   2.  Configure the **Inject Drivers** action with the following settings:
       - Choose a selection profile: Nothing
@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine.
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
 [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
-[Configure MDT settings](configure-mdt-settings.md)<br>
+[Configure MDT settings](configure-mdt-settings.md)<br>
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@ -1,10 +1,10 @@
 ### YamlMime:Landing
-title: Windows 10 deployment resources and documentation # < 60 chars
+title: Windows client deployment resources and documentation # < 60 chars
-summary: Learn about deploying and keeping Windows 10 up to date.  # < 160 chars
+summary: Learn about deploying and keeping Windows client devices up to date.  # < 160 chars
 metadata:
-  title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+  title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
  description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
@ -13,7 +13,7 @@ metadata:
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  ms.date: 08/05/2020 #Required; mm/dd/yyyy format.
+  ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -40,7 +40,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Prepare to deploy Windows 10 updates
+          - text: Prepare to deploy Windows updates
            url: update/prepare-deploy-windows.md
          - text: Prepare updates using Windows Update for Business
            url: update/waas-manage-updates-wufb.md
@ -65,8 +65,10 @@ landingContent:
      - linkListType: overview
        links:
          - text: What's new in Windows deployment
-            url: windows-10-deployment-scenarios.md
+            url: deploy-whats-new.md
-          - text: Windows 10 deployment scenarios
+          - text: Windows 11 overview
            url: /windows/whats-new/windows-11.md
          - text: Windows client deployment scenarios
            url: windows-10-deployment-scenarios.md
          - text: Basics of Windows updates, channels, and tools
            url:  update/get-started-updates-channels-tools.md
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@ -36,7 +36,7 @@ The features described below are no longer being actively developed, and might b
 | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
 | My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
 | Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
-| XDDM-based remote display driver  | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
+| XDDM-based remote display driver  | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
 | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
 | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
 | Windows To Go | Windows To Go is no longer being developed. <br><br>The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|  1903 |
@ -70,4 +70,4 @@ The features described below are no longer being actively developed, and might b
 |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
 |TCPChimney | TCP Chimney Offload is no longer being developed.  See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
 |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
 > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
 - Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **1**.
+- The **AllowWUfBCloudProcessing** policy is set to **8**.
 #### Set the **AllowWUfBCloudProcessing** policy
@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager:
    - Name: **AllowWUfBCloudProcessing**
    - Description: Enter a description.
    - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
-    - Data type: **String**
+    - Data type: **Integer**
-    - Value: **1**
+    - Value: **8**
 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
 7. In **Review + create**, review your settings, and then select **Create**.
 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@ -53,7 +53,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc
 If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. 
-%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
+**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini**
 ```
 [SetupConfig]
@ -62,7 +62,7 @@ Priority=Normal
 You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. 
-```
+```powershell
 #Parameters
 Param(
  [string] $PriorityValue = "Normal"
@ -91,6 +91,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys)
 #Write content to file 
 New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force
 <#
 Disclaimer 
 Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is 
 provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without 
@ -100,162 +101,164 @@ Microsoft, its authors, or anyone else involved in the creation, production, or
 for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, 
 loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script 
 or documentation, even if Microsoft has been advised of the possibility of such damages.
 #>
 ```
->[!NOTE]
+> [!NOTE]
->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. 
+> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
 ## Manually deploy feature updates
 The following sections provide the steps to manually deploy a feature update.
 ### Step 1: Specify search criteria for feature updates
-There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. 
+There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy.
-1. In the Configuration Manager console, click **Software Library**. 
+1. In the Configuration Manager console, click **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed.
 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
-   - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. 
+   - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
   - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English.
-4. Save the search for future use. 
+4. Save the search for future use.
-### Step 2: Download the content for the feature update(s)
+### Step 2: Download the content for the feature updates
-Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. 
+Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
-1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. 
+1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
-2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download.
+2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
-   The **Download Software Updates Wizard** opens. 
+   The **Download Software Updates Wizard** opens.
-3. On the **Deployment Package** page, configure the following settings: 
+3. On the **Deployment Package** page, configure the following settings:
-   **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: 
+   **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
-     - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. 
+     - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters.
-     - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. 
+     - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
-     - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. 
+     - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
-   >[!NOTE]
+   > [!NOTE]
-   >The deployment package source location that you specify cannot be used by another software deployment package. 
+   > The deployment package source location that you specify cannot be used by another software deployment package.
-   >[!IMPORTANT]
+   > [!IMPORTANT]
-   >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. 
+   > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
-   >[!IMPORTANT]
+   > [!IMPORTANT]
-   >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. 
+   > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
-   Click **Next**. 
+   Click **Next**.
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). 
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
-   >[!NOTE]
+   > [!NOTE]
-   >The Distribution Points page is available only when you create a new software update deployment package. 
+   > The Distribution Points page is available only when you create a new software update deployment package.
-5. On the **Distribution Settings** page, specify the following settings: 
+5. On the **Distribution Settings** page, specify the following settings:
-   - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. 
+   - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
-   - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 
+   - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
-   - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: 
+   - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
-     - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. 
+     - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
     - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
-     - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. 
+     - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
-      
+
-     For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). 
+     For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
-   Click **Next**. 
+   Click **Next**.
-6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: 
+6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
   - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
-   - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. 
+   - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access.
     >[!NOTE]
     >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
-   Click **Next**. 
+     > [!NOTE]
-7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. 
+     > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
-8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 
+
-9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. 
+   Click **Next**.
 7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
 8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates.
 9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close.
 #### To monitor content status
-1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. 
+1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console.
-2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. 
+2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**.
-3. Select the feature update package that you previously identified to download the feature updates. 
+3. Select the feature update package that you previously identified to download the feature updates.
 4. On the **Home** tab, in the Content group, click **View Status**.
-### Step 3: Deploy the feature update(s) 
+### Step 3: Deploy the feature update(s)
-After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). 
+After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
-1. In the Configuration Manager console, click **Software Library**. 
+1. In the Configuration Manager console, click **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
-   The **Deploy Software Updates Wizard** opens. 
+   The **Deploy Software Updates Wizard** opens.
-4. On the General page, configure the following settings: 
+4. On the General page, configure the following settings:
-   - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \<date\>\<time\>** 
+   - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \<date\>\<time\>**
-   - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. 
+   - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default.
-   - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. 
+   - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct.
-   - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. 
+   - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time.
-   - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. 
+   - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment.
-5. On the Deployment Settings page, configure the following settings: 
+5. On the Deployment Settings page, configure the following settings:
-   - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. 
+   - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline.
     >[!IMPORTANT]
     > After you create the software update deployment, you cannot later change the type of deployment. 
     >[!NOTE]
     >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured.
-   - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. 
+     > [!IMPORTANT]
     > After you create the software update deployment, you cannot later change the type of deployment.
-     >[!WARNING]
+     > [!NOTE]
-     >Before you can use this option, computers and networks must be configured for Wake On LAN. 
+     > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured.
-   - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 
+   - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required.
     > [!WARNING]
     > Before you can use this option, computers and networks must be configured for Wake On LAN.
   - **Detail level**: Specify the level of detail for the state messages that are reported by client computers.
 6. On the Scheduling page, configure the following settings:
-   - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. 
+   - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console.
     >[!NOTE]
     >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. 
-   - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: 
+     > [!NOTE]
-     - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. 
+     > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time.
   - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. 
     >[!NOTE]
     >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
-   - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. 
+   - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients:
     - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation.
   - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment.
-   >[!NOTE]
+     > [!NOTE]
-   >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). 
+     > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page.
 7. On the User Experience page, configure the following settings: 
   - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. 
   - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). 
   - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. 
-     >[!IMPORTANT]
+   - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links.
     >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
   - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. 
-     >[!NOTE]
+   > [!NOTE]
-     >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 
+   > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent).
-   - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. 
+7. On the User Experience page, configure the following settings:
-8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
+   - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**.
   - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows).
   - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation.
-   >[!NOTE]
+     > [!IMPORTANT]
-   >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 
+     > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
-9. On the Download Settings page, configure the following settings: 
+   - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device.
-   - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. 
+
-   - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. 
+     > [!NOTE]
-   - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). 
+     > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window.
   - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window.
 8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
   > [!NOTE]
   > You can review recent software updates alerts from the Software Updates node in the Software Library workspace.
 9. On the Download Settings page, configure the following settings:
   - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
   - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
   - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
   - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
-   - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. 
+   - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
-     >[!NOTE]
+     > [!NOTE]
-     >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 
+     > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority).
-10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 
+10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
-11. Click **Next** to deploy the feature update(s). 
+11. Click **Next** to deploy the feature update(s).
 ### Step 4: Monitor the deployment status
 After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
-1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. 
+1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
-2. Click the software update group or software update for which you want to monitor the deployment status. 
+2. Click the software update group or software update for which you want to monitor the deployment status.
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
+3. On the **Home** tab, in the **Deployment** group, click **View Status**.
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020
 > Applies to: Windows 10
 In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
 As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
 The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio
 For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
-Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
+Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file
 > [!NOTE]
 > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
 > [!NOTE]
 > Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
 ### Multiple Windows editions
 The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
@ -456,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
 Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
 Write-Output "$(Get-TS): Media refresh completed!"
-```
+```
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi
 ## How do I get started? 
-The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. 
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. 
 Today, the Update Baseline toolkit is currently only available for use with Group Policy. 
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@ -41,16 +41,13 @@ Update Compliance has a number of policies that must be appropriately configured
 Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
-| Policy | Value | Function |
+| Policy | Data type | Value | Function |
-|---------------------------|-|------------------------------------------------------------|
+|--------------------------|-|-|------------------------------------------------------------|
-|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
+|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
-| **System/AllowUpdateComplianceProcessing** | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
+| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
 > [!NOTE]
 > If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp).
 ### Group policies
@ -89,6 +86,6 @@ Census is a service that runs on a regular schedule on Windows devices. A number
 A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
-1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. 
+1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. 
 2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. 
 3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@ -0,0 +1,77 @@
 ---
 title: Configuring Microsoft Endpoint Manager devices for Update Compliance
 ms.reviewer: 
 manager: laurawi
 description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
 keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: deploy
 audience: itpro
 author: jaimeo
 ms.author: jaimeo
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ---
 # Configuring Microsoft Endpoint Manager devices for Update Compliance
 > [!NOTE]
 > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
 This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. 
 2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. 
 3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). 
 ## Create a configuration profile
 Take the following steps to create a configuration profile that will set required policies for Update Compliance:
 1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
 2. On the **Configuration profiles** view, select **Create a profile**.
 3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
 4. For **Template name**, select **Custom**, and then press **Create**.
 5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
 6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
    1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
    2. Add a setting for **Commercial ID** ) with the following values:
        - **Name**: Commercial ID
        - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
        - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
        - **Data type**: String
        - **Value**: *Set this to your Commercial ID*
    2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
        - **Name**: Allow Telemetry
        - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
        - **Data type**: Integer
        - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
    3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
        - **Name**: Disable Telemetry opt-in interface
        - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
        - **Data type**: Integer
        - **Value**: 1
    4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
        - **Name**: Allow device name in Diagnostic Data
        - **Description**: Allows device name in Diagnostic Data.
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
        - **Data type**: Integer
        - **Value**: 1
    5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: 
        - **Name**: Allow Update Compliance Processing
        - **Description**: Opts device data into Update Compliance processing. Required to see data. 
        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
        - **Data type**: Integer
        - **Value**: 16
 7.  Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. 
 8. Review and select **Create**. 
 ## Deploy the configuration script
 The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). 
 When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. 
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@ -18,22 +18,15 @@ ms.topic: article
 # Configuring devices through the Update Compliance Configuration Script
 > [!NOTE]
-> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured. 
+> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.
-The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more.
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. 
 > [!NOTE]
-> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. 
+> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly. 
 You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 ## Script FAQ
 - I manage my devices with MDM. Should I use this script?
 No, you should not use this script. Instead configure the policies through your MDM provider. 
 - Does this script configure devices for Delivery Optimization?
 No. You must do that separately.
 ## How this script is organized
 This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. 
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@ -26,7 +26,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp
 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
 3. [Configure devices](#enroll-devices-in-update-compliance)  to send data to Update Compliance.
-After adding the solution to Azure and configuring devices, it could take up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
+After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
 ## Update Compliance prerequisites
@ -100,10 +100,11 @@ To find your CommercialID within Azure:
 ## Enroll devices in Update Compliance
-Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance:
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
- If you use Group Policy to manage device policies, use the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
+1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
- If you manage devices through MDM providers like Intune, [manually configure device for Update Compliance](update-compliance-configuration-manual.md).
+2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md).
 3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
 After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
--- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
+++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
@ -32,7 +32,7 @@ This article describes how system administrators can upgrade eligible Windows Ph
 The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in.
-If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whitelist) with app allow-lists that could adversely affect the device after you upgrade.
+If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) with app allow-lists that could adversely affect the device after you upgrade.
 Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can block the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to restrict the Upgrade Advisor app, see the [How to restrict the Upgrade Advisor app](#howto-restrict) section in this article. Enterprises that have restricted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis.
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@ -26,9 +26,13 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano
 For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf).
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
-Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
+> [!NOTE]
 > The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
 > [!TIP]
 > Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
 ![not supported](../images/x_blk.png) (X) = not supported</br>
 ![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
@ -39,7 +43,7 @@ X = unsupported <BR>
 &#x2714; (green) = supported; reboot required<BR>
 &#x2714; (blue) = supported; no reboot required
-|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
+|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile |
 |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
 | Using mobile device management (MDM) |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
 | Using a provisioning package |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
@ -63,7 +67,6 @@ X = unsupported <BR>
 | **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
 | **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) |
 > [!NOTE]
 > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
@ -84,7 +87,7 @@ Use Windows Configuration Designer to create a provisioning package to upgrade a
 - To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
 For more info about Windows Configuration Designer, see these topics:
- [Create a provisioining package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package)
 - [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
@ -122,7 +125,8 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th
 3.  Follow the on-screen instructions.
-    **Note**<br>If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
+    > [!NOTE]
    > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
 ## License expiration
@ -130,7 +134,8 @@ Volume license customers whose license has expired will need to change the editi
 Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported.  You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
-Note: If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
+> [!NOTE]
 > If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
 ### Scenario example
@ -150,21 +155,21 @@ You can move directly from Enterprise to any valid destination edition. In this
 <br>
 <table border="0" cellpadding="1">
    <tr>
-        <td colspan="10" align="center">Destination edition</td>
+        <th colspan="10" align="center">Destination edition</th>
    </tr>
    <tr>
-        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
+        <th>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
-        <td></td>
+        <th>&nbsp;</th>
-        <td>Home</td>
+        <th>Home</th>
-        <td>Pro</td>
+        <th>Pro</th>
-        <td>Pro for Workstations</td>
+        <th>Pro for Workstations</th>
-        <td>Pro Education</td>
+        <th>Pro Education</th>
-        <td>Education</td>
+        <th>Education</th>
-        <td>Enterprise LTSC</td>
+        <th>Enterprise LTSC</th>
-        <td>Enterprise</td>
+        <th>Enterprise</th>
    </tr>
    <tr>
-        <td rowspan="9" nowrap="nowrap" valign="middle">Starting edition</td>
+        <th rowspan="9" nowrap="nowrap" valign="middle">Starting edition</th>
    </tr>
    <tr>
        <td>Home</td>
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@ -43,17 +43,17 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 <table border="0" cellpadding="1">
    <tr>
        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
-        <td></td>
+        <td>&nbsp;</td>
-        <td>Windows 10 Home</td>
+        <th>Windows 10 Home</th>
-        <td>Windows 10 Pro</td>
+        <th>Windows 10 Pro</th>
-        <td>Windows 10 Pro Education</td>
+        <th>Windows 10 Pro Education</th>
-        <td>Windows 10 Education</td>
+        <th>Windows 10 Education</th>
-        <td>Windows 10 Enterprise</td>
+        <th>Windows 10 Enterprise</th>
-        <td>Windows 10 Mobile</td>
+        <th>Windows 10 Mobile</th>
-        <td>Windows 10 Mobile Enterprise</td>
+        <th>Windows 10 Mobile Enterprise</th>
    </tr>
    <tr>
-        <td rowspan="7" nowrap="nowrap">Windows 7</td>
+        <th rowspan="7" nowrap="nowrap">Windows 7</th>
    </tr>
    <tr>
        <td>Starter</td>
@ -116,7 +116,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
        <td></td>
    </tr>
    <tr>
-        <td rowspan="10" nowrap="nowrap">Windows 8.1</td>
+        <th rowspan="10" nowrap="nowrap">Windows 8.1</th>
    </tr>
    <tr>
        <td>(Core)</td>
@ -209,7 +209,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
        <td>✔</td>
    </tr>
    <tr>
-        <td rowspan="8" nowrap="nowrap">Windows 10</td>
+        <th rowspan="8" nowrap="nowrap">Windows 10</th>
    </tr>
    <tr>
        <td>Home</td>
@ -261,17 +261,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
        <td></td>
        <td>✔</td>
    </tr>
-    <tr>
+   </table>
        <td>Mobile Enterprise</td>
        <td></td>
        <td></td>
        <td></td>
        <td></td>
        <td></td>
        <td>D</td>
        <td></td>
    </tr>
 </table>
 ## Related Topics
--- a/windows/hub/TOC.yml
+++ b/windows/hub/TOC.yml
@ -1,8 +1,13 @@
- name: Windows 10
+- name: Windows
  href: index.yml
  items: 
    - name: What's new
-      href: /windows/whats-new
+      expanded: true
      items:
        - name: What's new in Windows
          href: /windows/whats-new
        - name: Windows 11
          href: /windows/whats-new/windows-11
    - name: Release information
      href: /windows/release-health
    - name: Deployment
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@ -1,11 +1,11 @@
 ### YamlMime:Landing
-title: Windows 10 resources and documentation for IT Pros # < 60 chars
+title: Windows client resources and documentation for IT Pros # < 60 chars
-summary: Plan, deploy, secure, and manage devices running Windows 10.  # < 160 chars
+summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11.  # < 160 chars
 metadata:
-  title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
+  title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+  description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.subservice: subservice
@ -13,7 +13,7 @@ metadata:
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  ms.date: 10/20/2020 #Required; mm/dd/yyyy format.
+  ms.date: 06/01/2020 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -26,13 +26,17 @@ landingContent:
    linkLists:
      - linkListType: overview
        links:
          - text: Windows 11 overview
            url: /windows/whats-new/windows-11
          - text: Windows 11 requirements
            url: /windows/whats-new/windows-11-requirements
          - text: Plan for Windows 11
            url: /windows/whats-new/windows-11-plan
          - text: Prepare for Windows 11
            url: /windows/whats-new/windows-11-prepare
          - text: What's new in Windows 10, version 21H1
            url: /windows/whats-new/whats-new-windows-10-version-21H1
-          - text: What's new in Windows 10, version 20H2
+          - text: Windows release information
            url: /windows/whats-new/whats-new-windows-10-version-20H2
          - text: What's new in Windows 10, version 2004
            url: /windows/whats-new/whats-new-windows-10-version-2004
          - text: Windows 10 release information
            url:  /windows/release-health/release-information
  # Card (optional)
@ -40,7 +44,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Configure Windows 10
+          - text: Configure Windows
            url: /windows/configuration/index
          - text: Accessibility information for IT Pros
            url: /windows/configuration/windows-10-accessibility-for-itpros
@ -54,13 +58,13 @@ landingContent:
    linkLists:
      - linkListType: deploy
        links:
-          - text: Deploy and update Windows 10
+          - text: Deploy and update Windows
            url: /windows/deployment/index
-          - text: Windows 10 deployment scenarios
+          - text: Windows deployment scenarios
            url: /windows/deployment/windows-10-deployment-scenarios
          - text: Create a deployment plan
            url: /windows/deployment/update/create-deployment-plan
-          - text: Prepare to deploy Windows 10
+          - text: Prepare to deploy Windows client
            url: /windows/deployment/update/prepare-deploy-windows
@ -69,7 +73,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Windows 10 application management
+          - text: Windows application management
            url: /windows/application-management/index
          - text: Understand the different apps included in Windows 10
            url: /windows/application-management/apps-in-windows-10
@ -83,9 +87,9 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Windows 10 client management
+          - text: Windows client management
            url: /windows/client-management/index
-          - text: Administrative tools in Windows 10
+          - text: Administrative tools 
            url: /windows/client-management/administrative-tools-in-windows-10
          - text: Create mandatory user profiles
            url: /windows/client-management/mandatory-user-profile
@ -97,7 +101,7 @@ landingContent:
    linkLists:
      - linkListType: how-to-guide
        links:
-          - text: Windows 10 Enterprise Security
+          - text: Windows Enterprise Security
            url: /windows/security/index
          - text: Windows Privacy
            url: /windows/privacy/index
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@ -276,11 +276,6 @@ The following fields are available:
 - **DatasourceApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_CO21H2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS3**  The total number of objects of this type present on this device.
@ -294,11 +289,6 @@ The following fields are available:
 - **DatasourceDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_CO21H2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS3**  The total number of objects of this type present on this device.
@ -315,11 +305,6 @@ The following fields are available:
 - **DatasourceDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_CO21H2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS3**  The total number of objects of this type present on this device.
@ -336,11 +321,6 @@ The following fields are available:
 - **DataSourceMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_CO21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@ -354,11 +334,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_CO21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@ -372,11 +347,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_CO21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@ -391,11 +361,6 @@ The following fields are available:
 - **DatasourceSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_CO21H2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS3**  The total number of objects of this type present on this device.
@ -412,11 +377,6 @@ The following fields are available:
 - **DecisionApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS3**  The total number of objects of this type present on this device.
@ -430,11 +390,6 @@ The following fields are available:
 - **DecisionDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS3**  The total number of objects of this type present on this device.
@ -451,11 +406,6 @@ The following fields are available:
 - **DecisionDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS3**  The total number of objects of this type present on this device.
@ -472,11 +422,6 @@ The following fields are available:
 - **DecisionMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@ -490,11 +435,6 @@ The following fields are available:
 - **DecisionMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@ -508,11 +448,6 @@ The following fields are available:
 - **DecisionMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@ -526,11 +461,6 @@ The following fields are available:
 - **DecisionMediaCenter_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS3**  The total number of objects of this type present on this device.
@ -540,11 +470,6 @@ The following fields are available:
 - **DecisionMediaCenter_TH2**  The total number of objects of this type present on this device.
 - **DecisionSModeState_20H1**  The total number of objects of this type present on this device.
 - **DecisionSModeState_21H1**  The total number of objects of this type present on this device.
 - **DecisionSModeState_21H2**  The total number of objects of this type present on this device.
 - **DecisionSModeState_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSModeState_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSModeState_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSModeState_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19ASetup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1Setup**  The total number of objects of this type present on this device.
@ -552,11 +477,6 @@ The following fields are available:
 - **DecisionSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS3**  The total number of objects of this type present on this device.
@ -569,49 +489,20 @@ The following fields are available:
 - **DecisionSystemBios_TH2**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessor_RS2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_19H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_21H2**  The total number of objects of this type present on this device.
 - **DecisionTest_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionTest_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_RS1**  The total number of objects of this type present on this device.
 - **DecisionTest_RS2**  The total number of objects of this type present on this device.
 - **DecisionTest_RS3**  The total number of objects of this type present on this device.
@ -621,18 +512,8 @@ The following fields are available:
 - **DecisionTest_TH2**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_20H1**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_21H1**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_21H2**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_20H1**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_21H1**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_21H2**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_CO21H2**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_CU22H2Setup**  The total number of objects of this type present on this device.
 - **InventoryApplicationFile**  The total number of objects of this type present on this device.
 - **InventoryDeviceContainer**  The total number of objects of this type present on this device.
 - **InventoryDevicePnp**  The total number of objects of this type present on this device.
@ -662,11 +543,6 @@ The following fields are available:
 - **Wmdrm_20H1Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_21H2**  The total number of objects of this type present on this device.
 - **Wmdrm_21H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_CO21H2**  The total number of objects of this type present on this device.
 - **Wmdrm_CO21H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_CU22H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_RS1**  The total number of objects of this type present on this device.
 - **Wmdrm_RS2**  The total number of objects of this type present on this device.
 - **Wmdrm_RS3**  The total number of objects of this type present on this device.
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
 ## Behaviorial changes
-In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**.
+In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**.
 Additionally, you will see the following policy changes in an upcoming release of Windows 10:
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -559,6 +559,8 @@ To disable the Microsoft Account Sign-In Assistant:
 Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](/DeployEdge/configure-microsoft-edge).
 For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). 
 ### <a href="" id="bkmk-edgegp"></a>13.1 Microsoft Edge Group Policies
 Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
@ -594,8 +596,6 @@ Alternatively, you can configure the following Registry keys as described:
 | Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation<br/>REG_DWORD: MSCompatibilityMode <br />Value: **0**|
 For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
 ### <a href="" id="bkmk-edgegp"></a>13.2 Microsoft Edge Enterprise
 For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). 
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@ -1,5 +1,5 @@
 ---
-description: Use this article to learn more about what required Windows diagnostic data is gathered.
+description: Learn what required Windows diagnostic data is gathered.
 title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
@ -64,10 +64,6 @@ The following fields are available:
 - **DatasourceApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS3**  The total number of objects of this type present on this device.
@ -81,10 +77,6 @@ The following fields are available:
 - **DatasourceDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS3**  The total number of objects of this type present on this device.
@ -100,10 +92,6 @@ The following fields are available:
 - **DatasourceDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS3**  The total number of objects of this type present on this device.
@ -119,10 +107,6 @@ The following fields are available:
 - **DataSourceMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@ -136,10 +120,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@ -153,10 +133,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@ -170,10 +146,6 @@ The following fields are available:
 - **DatasourceSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS3**  The total number of objects of this type present on this device.
@ -189,10 +161,6 @@ The following fields are available:
 - **DecisionApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS3**  The total number of objects of this type present on this device.
@ -206,10 +174,6 @@ The following fields are available:
 - **DecisionDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS3**  The total number of objects of this type present on this device.
@ -225,10 +189,6 @@ The following fields are available:
 - **DecisionDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS3**  The total number of objects of this type present on this device.
@ -244,10 +204,6 @@ The following fields are available:
 - **DecisionMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@ -261,10 +217,6 @@ The following fields are available:
 - **DecisionMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@ -278,10 +230,6 @@ The following fields are available:
 - **DecisionMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@ -295,10 +243,6 @@ The following fields are available:
 - **DecisionMediaCenter_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS3**  The total number of objects of this type present on this device.
@ -306,19 +250,12 @@ The following fields are available:
 - **DecisionMediaCenter_RS5**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_TH1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_TH2**  The total number of objects of this type present on this device.
 - **DecisionSModeState_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSModeState_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSModeState_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS3**  The total number of objects of this type present on this device.
@ -328,29 +265,11 @@ The following fields are available:
 - **DecisionSystemBios_RS5Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_TH1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_TH2**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_19H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_21H2**  The total number of objects of this type present on this device.
 - **DecisionTest_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_RS1**  The total number of objects of this type present on this device.
 - **DecisionTest_RS2**  The total number of objects of this type present on this device.
 - **DecisionTest_RS3**  The total number of objects of this type present on this device.
@ -358,12 +277,6 @@ The following fields are available:
 - **DecisionTest_RS5**  The total number of objects of this type present on this device.
 - **DecisionTest_TH1**  The total number of objects of this type present on this device.
 - **DecisionTest_TH2**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_CO21H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_CU22H2Setup**  The total number of objects of this type present on this device.
 - **InventoryApplicationFile**  The total number of objects of this type present on this device.
 - **InventoryLanguagePack**  The total number of objects of this type present on this device.
 - **InventoryMediaCenter**  The total number of objects of this type present on this device.
@ -387,10 +300,6 @@ The following fields are available:
 - **Wmdrm_20H1Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_21H2**  The total number of objects of this type present on this device.
 - **Wmdrm_21H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_CO21H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_CU22H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_RS1**  The total number of objects of this type present on this device.
 - **Wmdrm_RS2**  The total number of objects of this type present on this device.
 - **Wmdrm_RS3**  The total number of objects of this type present on this device.
@ -4130,7 +4039,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@ -4162,7 +4071,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@ -4195,7 +4104,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See (experimentationandconfigurationservicecontrol)[/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol] for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@ -4228,7 +4137,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [#experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@ -4342,7 +4251,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@ -6355,7 +6264,7 @@ The following fields are available:
 ### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event.
 The following fields are available:
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@ -282,7 +282,7 @@ This group implicitly includes all users who are logged on to the system through
 ## Principal Self
-This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
+This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
 | **Attribute** | **Value** |
 |  :--: | :--: | 
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@ -0,0 +1,103 @@
 ---
 title: Azure Active Directory join cloud only deployment
 description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. 
 keywords: identity, Hello, Active Directory, cloud, 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 audience: ITPro
 author: mapalko
 ms.author: mapalko
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
 ms.date: 06/23/2021
 ms.reviewer: 
 ---
 # Azure Active Directory join cloud only deployment
 ## Introduction
 When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
 > [!NOTE]
 > During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 ## Prerequisites
 Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment).
 Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
 Check and view this setting with the following MSOnline PowerShell command:
 `Get-MsolDomainFederationSettings –DomainName <your federated domain name>`
 To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain.
 `Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
 Example:
 `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
 If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
 ## Use Intune to disable Windows Hello for Business enrollment
 We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
 However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business.
 ## Disable Windows Hello for Business using Intune Enrollment policy
 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
   When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
 > [!NOTE]
 > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
 ## Disable Windows Hello for Business enrollment without Intune
 The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s).
 Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used.
 Here are the registry settings an Intune policy would set.
 Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
 These registry settings are pushed from Intune for user policies for your reference.
 - Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\Policies`**
 - DWORD: **UsePassportForWork**
 - Value = **0** for Disable, or Value = **1** for Enable
 For your reference, these registry settings can be applied from Local or Group Policies.
 - Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`**
 - Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`**
 - DWORD: **Enabled**
 - Value = **0** for Disable or Value = **1** for Enable
 If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
 ## Related reference documents for Azure AD join scenarios
 - [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)
 - [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
 - [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
 - [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin)
 - [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
 - [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@ -69,9 +69,9 @@ sections:
        answer: |
          It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
-      - question: Can I use an external camera when my laptop is closed or docked?
+      - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked?
        answer: |
-          No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
+          Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
      - question: Why does authentication fail immediately after provisioning hybrid key trust?
        answer: |
@ -118,7 +118,7 @@ sections:
          Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then  performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
      - question: |
-          Which is better or more secure: key trust or certificate trust?
+          Which is better or more secure, key trust or certificate trust?
        answer: |
          The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
          - Required domain controllers 
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -197,7 +197,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
    - **Description:** (Optional) List of domains that are allowed during PIN reset flows.
    - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
    - **Data type:** String
-    - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be "signin.contoso.com;portal.contoso.com"
+    - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be signin.contoso.com;portal.contoso.com (no double quotes)
   ![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png)
@ -218,4 +218,4 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized.  You need A
 Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
 > [!NOTE]
 > User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
 > [!NOTE]
 > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
@ -152,4 +155,4 @@ If your environment is already federated and supports Azure device registration,
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
--- a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png
+++ b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -101,6 +101,8 @@
        href: hello-cert-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-cert-trust-policy-settings.md
    - name: Azure AD join cloud only deployment
      href: hello-aad-join-cloud-only-deploy.md
    - name: Managing Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
    - name: Deploying Certificates to Key Trust Users to Enable RDP
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
 ## Changing the PIN
-The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**.
+The PIN for a virtual smart card can be changed by following these steps:
-
+- Sign in with the old PIN or password.
 - Press Ctrl+Alt+Del and choose **Change a password**.
 - Select **Sign-in Options**.
 - Select the virtual smart card icon.
 - Enter and confirm the new PIN.
 ## Resolving issues
 ### TPM not provisioned
@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter
 ## See also
-For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
+For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
--- a/windows/security/information-protection/TOC.yml
+++ b/windows/security/information-protection/TOC.yml
@ -29,6 +29,8 @@
              href: bitlocker\bitlocker-using-with-other-programs-faq.yml
        - name: "Prepare your organization for BitLocker: Planning and policies"
          href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md
        - name: BitLocker deployment comparison
          href: bitlocker\bitlocker-deployment-comparison.md
        - name: BitLocker basic deployment
          href: bitlocker\bitlocker-basic-deployment.md
        - name: "BitLocker: How to deploy on Windows Server 2012 and later"
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@ -0,0 +1,65 @@
 ---
 title: BitLocker deployment comparison (Windows 10)
 description: This article shows the BitLocker deployment comparison chart.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: lovina-saldanha
 ms.author: v-lsaldanha
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 05/20/2021
 ms.custom: bitlocker
 ---
 # BitLocker deployment comparison
 **Applies to**
 - Windows 10
 This article depicts the BitLocker deployment comparison chart.
 ## BitLocker deployment comparison chart
 |  |Microsoft Intune  |Microsoft Endpoint Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
 |---------|---------|---------|---------|
 |**Requirements**||||
 |Minimum client operating system version     |Windows 10     | Windows 10 and Windows 8.1  | Windows 7 and later        |
 |Supported Windows 10 SKUs     |    Enterprise, Pro, Education     |    Enterprise, Pro, Education     |     Enterprise    |
 |Minimum Windows 10 version     |1909   |    None     |    None     |
 |Supported domain-joined status     |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory joined, hybrid Azure AD joined      |     Active Directory joined    |
 |Permissions required to manage policies     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
 |Cloud or on premises      |     Cloud    |  On premises     |    On premises     |
 |Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Additional agent required?     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
 |Administrative plane     | Microsoft Endpoint Manager admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
 |Administrative portal installation required     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
 |Compliance reporting capabilities     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Force encryption     |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Encryption for storage cards (mobile)      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |         |
 |Allow recovery password      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
 |Manage startup authentication     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
 |Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Standard recovery password storage location     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
 |Store recovery password for operating system and fixed drives to Azure AD or Active Directory     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
 |Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Deny Write permission to unprotected drives     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Can be administered outside company network     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |         |
 |Support for organization unique IDs     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
 |Self-service recovery      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
 |Recovery password rotation for fixed and operating environment drives     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Wait to complete encryption until recovery information is backed up to Azure AD      |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |       |        |
 |Wait to complete encryption until recovery information is backed up to Active Directory      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
 |Allow or deny Data Recovery Agent     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Unlock a volume using certificate with custom object identifier     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
 |Prevent memory overwrite on restart     |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Configure custom Trusted Platform Module Platform Configuration Register profiles     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |
 |Manage auto-unlock functionality     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |
--- a/windows/security/information-protection/bitlocker/images/yes-icon.png
+++ b/windows/security/information-protection/bitlocker/images/yes-icon.png
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file.
 ## Use PCPTool to decode Measured Boot logs
 > [!NOTE]
 > PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool.
 PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
 To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
@ -111,4 +114,4 @@ where the variables represent the following values:
 The content of the XML file resembles the following.
-![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
+![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
 > [!NOTE]
 > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
-
+>
 > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
 ## Discrete, Integrated or Firmware TPM?
@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
 ### IoT Core
@ -111,21 +111,20 @@ The following table defines which Windows features require TPM support.
 Windows Features | TPM Required | Supports TPM 1.2  | Supports TPM 2.0  | Details  |
 -|-|-|-|-
- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
+ Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.  
 BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
 Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
 Windows Defender Application Control (Device Guard) | No | Yes | Yes
- Windows Defender System Guard | Yes | No | Yes
+ Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
- Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
+ Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
- Device Health Attestation| Yes | Yes | Yes
+ Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
 UEFI Secure Boot | No | Yes | Yes
 TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
 Virtual Smart Card | Yes | Yes | Yes
 Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
 Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
 SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
 DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
 ## OEM Status on TPM 2.0 system availability and certified parts
@ -133,4 +132,4 @@ Government customers and enterprise customers in regulated industries may have a
 ## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 ## Create a WIP policy
-1. Sign in to the Azure portal.
+1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
-2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**.
+2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
   ![Open Client apps](images/create-app-protection-policy.png)
@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou
 Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
 This list shouldn’t include any servers listed in your Internal proxy servers list. 
-Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
+Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
 ```console
@ -497,8 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443
 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
-This list shouldn’t include any servers listed in your Proxy servers list. 
+This list shouldn’t include any servers listed in your Proxy servers list.
-Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
+Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
 ```console
@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com
 ### IPv4 ranges
 Starting with Windows 10, version 1703, this field is optional.
 Specify the addresses for a valid IPv4 value range within your intranet. 
 These addresses, used with your Network domain names, define your corporate network boundaries.
 Classless Inter-Domain Routing (CIDR) notation isn’t supported.
--- a/windows/security/threat-protection/TOC.yml
+++ b/windows/security/threat-protection/TOC.yml
@ -224,7 +224,7 @@
        - name: Information for developers
          items: 
            - name: Software developer FAQ
-              href: intelligence/developer-faq.md
+              href: intelligence/developer-faq.yml
            - name: Software developer resources
              href: intelligence/developer-resources.md
    - name: The Windows Security app
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@ -21,8 +21,7 @@ ms.technology: mde
 - Windows 10
 - Windows Server 2016
-
+This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
 This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                              |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
@ -35,4 +34,3 @@ This auditing subcategory should not have any events in it, but for some reason
 -   [4985](event-4985.md)(S): The state of a transaction has changed.
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol
 You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-| Account management events |                                                                                                                                                       Description                                                                                                                                                       |
+| Account management events | Description |
-|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| :-----------------------: | :---------- |
-|            624            |                                                                                                                                               A user account was created.                                                                                                                                               |
+| 4720 | A user account was created.      |
-|            627            |                                                                                                                                              A user password was changed.                                                                                                                                               |
+| 4723 | A user password was changed.     |
-|            628            |                                                                                                                                                A user password was set.                                                                                                                                                 |
+| 4724 | A user password was set.         |
-|            630            |                                                                                                                                               A user account was deleted.                                                                                                                                               |
+| 4726 | A user account was deleted.      |
-|            631            |                                                                                                                                               A global group was created.                                                                                                                                               |
+| 4727 | A global group was created.      |
-|            632            |                                                                                                                                          A member was added to a global group.                                                                                                                                          |
+| 4728 | A member was added to a global group. |
-|            633            |                                                                                                                                        A member was removed from a global group.                                                                                                                                        |
+| 4729 | A member was removed from a global group. |
-|            634            |                                                                                                                                               A global group was deleted.                                                                                                                                               |
+| 4730 | A global group was deleted. |
-|            635            |                                                                                                                                             A new local group was created.                                                                                                                                              |
+| 4731 | A new local group was created. |
-|            636            |                                                                                                                                          A member was added to a local group.                                                                                                                                           |
+| 4732 | A member was added to a local group. |
-|            637            |                                                                                                                                        A member was removed from a local group.                                                                                                                                         |
+| 4733 | A member was removed from a local group. |
-|            638            |                                                                                                                                               A local group was deleted.                                                                                                                                                |
+| 4734 | A local group was deleted.          |
-|            639            |                                                                                                                                           A local group account was changed.                                                                                                                                            |
+| 4735 | A local group account was changed.  |
-|            641            |                                                                                                                                           A global group account was changed.                                                                                                                                           |
+| 4737 | A global group account was changed. |
-|            642            |                                                                                                                                               A user account was changed.                                                                                                                                               |
+| 4738 | A user account was changed. |
-|            643            |                                                                                                                                              A domain policy was modified.                                                                                                                                              |
+| 4739 | A domain policy was modified. |
-|            644            |                                                                                                                                             A user account was auto locked.                                                                                                                                             |
+| 4740 | A user account was auto locked. |
-|            645            |                                                                                                                                             A computer account was created.                                                                                                                                             |
+| 4741 | A computer account was created. |
-|            646            |                                                                                                                                             A computer account was changed.                                                                                                                                             |
+| 4742 | A computer account was changed. |
-|            647            |                                                                                                                                             A computer account was deleted.                                                                                                                                             |
+| 4743 | A computer account was deleted. |
-|            648            |                                                                A local security group with security disabled was created.<br>**Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.                                                                |
+| 4744 | A local security group with security disabled was created.<br> **Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
-|            649            |                                                                                                                               A local security group with security disabled was changed.                                                                                                                                |
+| 4745 | A local security group with security disabled was changed. |
-|            650            |                                                                                                                             A member was added to a security-disabled local security group.                                                                                                                             |
+| 4746 | A member was added to a security-disabled local security group. |
-|            651            |                                                                                                                           A member was removed from a security-disabled local security group.                                                                                                                           |
+| 4747 | A member was removed from a security-disabled local security group. |
-|            652            |                                                                                                                                      A security-disabled local group was deleted.                                                                                                                                       |
+| 4748 | A security-disabled local group was deleted. |
-|            653            |                                                                                                                                      A security-disabled global group was created.                                                                                                                                      |
+| 4749 | A security-disabled global group was created. |
-|            645            |                                                                                                                                      A security-disabled global group was changed.                                                                                                                                      |
+| 4750 | A security-disabled global group was changed. |
-|            655            |                                                                                                                                 A member was added to a security-disabled global group.                                                                                                                                 |
+| 4751 | A member was added to a security-disabled global group. |
-|            656            |                                                                                                                               A member was removed from a security-disabled global group.                                                                                                                               |
+| 4752 | A member was removed from a security-disabled global group. |
-|            657            |                                                                                                                                      A security-disabled global group was deleted.                                                                                                                                      |
+| 4753 | A security-disabled global group was deleted. |
-|            658            |                                                                                                                                     A security-enabled universal group was created.                                                                                                                                     |
+| 4754 | A security-enabled universal group was created. |
-|            659            |                                                                                                                                     A security-enabled universal group was changed.                                                                                                                                     |
+| 4755 | A security-enabled universal group was changed. |
-|            660            |                                                                                                                                A member was added to a security-enabled universal group.                                                                                                                                |
+| 4756 | A member was added to a security-enabled universal group. |
-|            661            |                                                                                                                              A member was removed from a security-enabled universal group.                                                                                                                              |
+| 4757 | A member was removed from a security-enabled universal group. |
-|            662            |                                                                                                                                     A security-enabled universal group was deleted.                                                                                                                                     |
+| 4758 | A security-enabled universal group was deleted. |
-|            663            |                                                                                                                                    A security-disabled universal group was created.                                                                                                                                     |
+| 4759 | A security-disabled universal group was created. |
-|            664            |                                                                                                                                    A security-disabled universal group was changed.                                                                                                                                     |
+| 4760 | A security-disabled universal group was changed. |
-|            665            |                                                                                                                               A member was added to a security-disabled universal group.                                                                                                                                |
+| 4761 | A member was added to a security-disabled universal group. |
-|            666            |                                                                                                                             A member was removed from a security-disabled universal group.                                                                                                                              |
+| 4762 | A member was removed from a security-disabled universal group. |
-|            667            |                                                                                                                                    A security-disabled universal group was deleted.                                                                                                                                     |
+| 4763 | A security-disabled universal group was deleted. |
-|            668            |                                                                                                                                                A group type was changed.                                                                                                                                                |
+| 4764 | A group type was changed. |
-|            684            |                                                                                                                            Set the security descriptor of members of administrative groups.                                                                                                                             |
+| 4780 | Set the security descriptor of members of administrative groups. |
-|            685            | Set the security descriptor of members of administrative groups.<br>**Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
+|  685 | Set the security descriptor of members of administrative groups.<br> **Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
 ## Related topics
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@ -286,7 +286,7 @@ For 4624(S): An account was successfully logged on.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.       | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used.                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                     | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list.                                  |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                     | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list.                                  |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts.                                                |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about.                             |
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@ -21,7 +21,7 @@ ms.technology: mde
 -   Windows Server 2016
-<img src="images/event-4627.png" alt="Event 4627 illustration" width="876" height="1418" hspace="10" align="left" />
+<img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" />
 ***Subcategory:***&nbsp;[Audit Group Membership](audit-group-membership.md)
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@ -179,7 +179,7 @@ The following table is similar to the table in [Appendix A: Security monitoring
 | **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.<br>Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts.                                                                                                                                                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used.                                                                                                                               |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used.                                                                                                                                                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events.                                                                                                                                                                    | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list.                                                                                                                                                                |
+| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events.                                                                                                                                                                    | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list.                                                                                                                                                                |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event.                                                                                                                                       | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                        |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.<br>For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions.                                                                                                                                                                                                                  |
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@ -193,7 +193,7 @@ For 4688(S): A new process has been created.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used.                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list.                                 |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a "allow list-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list.                                 |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts.                                        |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about.                             |
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@ -153,7 +153,7 @@ For 4696(S): A primary token was assigned to process.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list.                                 |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list.                                 |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts.                                                 |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about.                             |
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@ -195,7 +195,7 @@ Otherwise, see the recommendations in the following table.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                  |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                     |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used.                                                                                                                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled.                                                               |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled.                                                               |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                                                                                     |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                  |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account.                |
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@ -153,7 +153,7 @@ For 4704(S): A user right was assigned.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                                                                          |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                             |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled.                                                                                                                                                                                                                                                                                                            |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled.                                                                                                                                                                                                                                                                                                            |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                                                                                                                                                                                                                                                                                                                          |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account.                                                                                                                                                                                                                                                       |
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@ -152,7 +152,7 @@ For 4705(S): A user right was removed.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.”                                                                                                                                                                                                                                                |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.”                                                                                                                                                                                                                                                |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.<br>For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.<br>As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case.                                                                                       |
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@ -127,7 +127,7 @@ For 4717(S): System security access was granted to an account.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                               |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                          |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                   |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.”                                                                                  |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.”                                                                                  |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights.                                                                                            |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                       |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@ -127,7 +127,7 @@ For 4718(S): System security access was removed from an account.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.                    | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                                   | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                                        | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                         | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.”                                                                                                                                                                                                                                                                                                     |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                         | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.”                                                                                                                                                                                                                                                                                                     |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                                    | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.<br>As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                                        | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                                        | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case.                                                                                                                                                                                                                     |
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@ -154,7 +154,7 @@ For 4732(S): A member was added to a security-enabled local group.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.                                                                       | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                                   |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                                                                                      | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                   |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                                                                                           | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                               |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                                                                            | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                                    |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                                                                            | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                                    |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                                                                                       | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                   |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                                                                                           | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                                                                                            | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                               |
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@ -161,7 +161,7 @@ For 4733(S): A member was removed from a security-enabled local group.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.                                                                  | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                                       |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                                                                                 | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                       |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                                                                                      | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                                   |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                                                                       | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                                        |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                                                                       | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                                        |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                                                                                  | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                       |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                                                                                      | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                    |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                                                                                       | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                                   |
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@ -158,7 +158,7 @@ For 4751(S): A member was added to a security-disabled global group.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                       |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                       |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                   |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                        |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                        |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                       |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                    |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                   |
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@ -149,7 +149,7 @@ For 4752(S): A member was removed from a security-disabled global group.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                             |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                             |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                         |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                              |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.                                                                                              |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                             |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                          |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                         |
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@ -305,7 +305,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the allow list.                                  |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“User ID”** for accounts that are outside the allow list.                                  |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location.                                                   |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**User ID”** for names that don’t comply with naming conventions.                                                                                     |
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@ -166,13 +166,78 @@ The most common values:
 > Table 6. Kerberos ticket flags.
-   **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
+-   **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
 | Code | Code Name                      | Description                                                  | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x0         | KDC\_ERR\_NONE                            | No error                                        |
-| 0x17 | KDC\_ERR\_KEY\_EXPIRED         | Password has expired—change password to reset                | The user’s password has expired.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x1         | KDC\_ERR\_NAME\_EXP                       | Client's entry in database has expired          |
-| 0x18 | KDC\_ERR\_PREAUTH\_FAILED      | Pre-authentication information was invalid                   | The wrong password was provided.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x2         | KDC\_ERR\_SERVICE\_EXP                    | Server's entry in database has expired          |
 | 0x3         | KDC\_ERR\_BAD\_PVNO                       | Requested protocol version number not supported |
 | 0x4         | KDC\_ERR\_C\_OLD\_MAST\_KVNO              | Client's key encrypted in old master key        |
 | 0x5         | KDC\_ERR\_S\_OLD\_MAST\_KVNO              | Server's key encrypted in old master key        |
 | 0x6         | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN           | Client not found in Kerberos database           |
 | 0x7         | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN           | Server not found in Kerberos database           |
 | 0x8         | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE          | Multiple principal entries in database          |
 | 0x9         | KDC\_ERR\_NULL\_KEY                       | The client or server has a null key             |
 | 0xa         | KDC\_ERR\_CANNOT\_POSTDATE                | Ticket not eligible for postdating              |
 | 0xb         | KDC\_ERR\_NEVER\_VALID                    | Requested starttime is later than end time      |
 | 0xc         | KDC\_ERR\_POLICY                          | KDC policy rejects request                      |
 | 0xd         | KDC\_ERR\_BADOPTION                       | KDC cannot accommodate requested option         |
 | 0xe         | KDC\_ERR\_ETYPE\_NOSUPP                   | KDC has no support for encryption type          |
 | 0xf         | KDC\_ERR\_SUMTYPE\_NOSUPP                 | KDC has no support for checksum type            |
 | 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
 | 0x11         | KDC\_ERR\_TRTYPE\_NOSUPP                  | KDC has no support for transited type           |
 | 0x12         | KDC\_ERR\_CLIENT\_REVOKED                 | Clients credentials have been revoked           |
 | 0x13         | KDC\_ERR\_SERVICE\_REVOKED                | Credentials for server have been revoked        |
 | 0x14         | KDC\_ERR\_TGT\_REVOKED                    | TGT has been revoked                            |
 | 0x15         | KDC\_ERR\_CLIENT\_NOTYET                  | Client not yet valid; try again later           |
 | 0x16         | KDC\_ERR\_SERVICE\_NOTYET                 | Server not yet valid; try again later           |
 | 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user’s password has expired.
 | 0x18         | KDC\_ERR\_PREAUTH\_FAILED                 | Pre-authentication information was invalid      |The wrong password was provided.
 | 0x19         | KDC\_ERR\_PREAUTH\_REQUIRED               | Additional pre-authentication required          |
 | 0x1a         | KDC\_ERR\_SERVER\_NOMATCH                 | Requested server and ticket don't match         |
 | 0x1b         | KDC\_ERR\_MUST\_USE\_USER2USER            | Server principal valid for user2user only       |
 | 0x1c         | KDC\_ERR\_PATH\_NOT\_ACCEPTED             | KDC Policy rejects transited path               |
 | 0x1d         | KDC\_ERR\_SVC\_UNAVAILABLE                | A service is not available                      |
 | 0x1f         | KRB\_AP\_ERR\_BAD\_INTEGRITY              | Integrity check on decrypted field failed       |
 | 0x20         | KRB\_AP\_ERR\_TKT\_EXPIRED                | Ticket expired                                  |
 | 0x21         | KRB\_AP\_ERR\_TKT\_NYV                    | Ticket not yet valid                            |
 | 0x22         | KRB\_AP\_ERR\_REPEAT                      | Request is a replay                             |
 | 0x23         | KRB\_AP\_ERR\_NOT\_US                     | The ticket isn't for us                         |
 | 0x24         | KRB\_AP\_ERR\_BADMATCH                    | Ticket and authenticator don't match            |
 | 0x25         | KRB\_AP\_ERR\_SKEW                        | Clock skew too great                            |
 | 0x26         | KRB\_AP\_ERR\_BADADDR                     | Incorrect net address                           |
 | 0x27         | KRB\_AP\_ERR\_BADVERSION                  | Protocol version mismatch                       |
 | 0x28         | KRB\_AP\_ERR\_MSG\_TYPE                   | Invalid msg type                                |
 | 0x29         | KRB\_AP\_ERR\_MODIFIED                    | Message stream modified                         |
 | 0x2a         | KRB\_AP\_ERR\_BADORDER                    | Message out of order                            |
 | 0x2c         | KRB\_AP\_ERR\_BADKEYVER                   | Specified version of key is not available       |
 | 0x2d         | KRB\_AP\_ERR\_NOKEY                       | Service key not available                       |
 | 0x2e         | KRB\_AP\_ERR\_MUT\_FAIL                   | Mutual authentication failed                    |
 | 0x2f         | KRB\_AP\_ERR\_BADDIRECTION                | Incorrect message direction                     |
 | 0x30         | KRB\_AP\_ERR\_METHOD                      | Alternative authentication method required      |
 | 0x31         | KRB\_AP\_ERR\_BADSEQ                      | Incorrect sequence number in message            |
 | 0x32         | KRB\_AP\_ERR\_INAPP\_CKSUM                | Inappropriate type of checksum in message       |
 | 0x33         | KRB\_AP\_PATH\_NOT\_ACCEPTED              | Policy rejects transited path                   |
 | 0x34         | KRB\_ERR\_RESPONSE\_TOO\_BIG              | Response too big for UDP; retry with TCP        |
 | 0x3c         | KRB\_ERR\_GENERIC                         | Generic error (description in e-text)           |
 | 0x3d         | KRB\_ERR\_FIELD\_TOOLONG                  | Field is too long for this implementation       |
 | 0x3e         | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED          | Reserved for PKINIT                             |
 | 0x3f         | KDC\_ERROR\_KDC\_NOT\_TRUSTED             | Reserved for PKINIT                             |
 | 0x40         | KDC\_ERROR\_INVALID\_SIG                  | Reserved for PKINIT                             |
 | 0x41         | KDC\_ERR\_KEY\_TOO\_WEAK                  | Reserved for PKINIT                             |
 | 0x42         | KDC\_ERR\_CERTIFICATE\_MISMATCH           | Reserved for PKINIT                             |
 | 0x43         | KRB\_AP\_ERR\_NO\_TGT                     | No TGT available to validate USER-TO-USER       |
 | 0x44         | KDC\_ERR\_WRONG\_REALM                    | Reserved for future use                         |
 | 0x45         | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED    | Ticket must be for USER-TO-USER                 |
 | 0x46         | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE       | Reserved for PKINIT                             |
 | 0x47         | KDC\_ERR\_INVALID\_CERTIFICATE            | Reserved for PKINIT                             |
 | 0x48         | KDC\_ERR\_REVOKED\_CERTIFICATE            | Reserved for PKINIT                             |
 | 0x49         | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN     | Reserved for PKINIT                             |
 | 0x4a         | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT                             |
 | 0x4b         | KDC\_ERR\_CLIENT\_NAME\_MISMATCH          | Reserved for PKINIT                             |
 | 0x4c         | KDC\_ERR\_KDC\_NAME\_MISMATCH             | Reserved for PKINIT                             |                                                                   
 -   **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
@ -209,7 +274,7 @@ For 4771(F): Kerberos pre-authentication failed.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list.                                  |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list.                                  |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                           |
 -   You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@ -130,7 +130,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                           |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Logon Account”** that should never be used.                                                                                                                                                                                                                                                        |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the allow list.                                                                                                                                                                                               |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list.                                                                                                                                                                                               |
 | **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on.                                                                                                                                                                                            | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about.                                                                                                                                                                                           |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Logon Account”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                                                  |
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@ -127,7 +127,7 @@ For 4778(S): A session was reconnected to a Window Station.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list.                                  |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list.                                  |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                               |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.                             |
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@ -131,7 +131,7 @@ For 4779(S): A session was disconnected from a Window Station.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                                                                   |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                      |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used.                                                                                                                                                                                                                                                               |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist.                                                                                                                                                                                                                                       |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list.                                                                                                                                                                                                                                       |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected.                                                                                                                                                                                                      |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                    |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.<br>For example, you might have computers to which connections should not be made from certain accounts or addresses.           | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.<br>If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. |
--- a/windows/security/threat-protection/intelligence/TOC.yml
+++ b/windows/security/threat-protection/intelligence/TOC.yml
@ -55,6 +55,6 @@
    - name: Information for developers
      items: 
        - name: Software developer FAQ
-          href: developer-faq.md
+          href: developer-faq.yml
        - name: Software developer resources
          href: developer-resources.md
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@ -1,51 +0,0 @@
 ---
 title: Software developer FAQ
 ms.reviewer: 
 description: This page provides answers to common questions we receive from software developers
 keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Software developer FAQ
 This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
 ## Does Microsoft accept files for a known list or false-positive prevention program?
 No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
 ## How do I dispute the detection of my program?
 Submit the file in question as a software developer. Wait until your submission has a final determination.
 If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
 We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
 ## Why is Microsoft asking for a copy of my program?
 Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
 ## Why does Microsoft classify my installer as a software bundler?
 It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
 ## Why is the Windows Defender Firewall blocking my program?
 Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
 ## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
 This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
--- a/Show More
+++ b/Show More