Merge branch 'do_docs' of https://github.com/cmknox/windows-docs-pr into do_docs

education/windows/configure-aad-google-trust.md

@@ -18,7 +18,7 @@ To configure Google Workspace as an IdP for Microsoft Entra ID, the following pr
 1. A Microsoft Entra tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
     - If the federated domain hasn't yet been added to Microsoft Entra ID, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
     - Learn how to [Add your custom domain name using the Microsoft Entra admin center](/azure/active-directory/fundamentals/add-custom-domain)
-1. Access to Microsoft Entra ID with an account with the *Global Administrator* role
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator)
 1. Access to Google Workspace with an account with *super admin* privileges
 
 To test federation, the following prerequisites must be met:
@@ -56,7 +56,7 @@ To test federation, the following prerequisites must be met:
     |Basic Information: Primary Email|App attributes: IDPEmail|
 
     > [!IMPORTANT]
-    > You must ensure that your the Microsoft Entra user accounts email match those in your Google Workspace.
+    > You must ensure that your Microsoft Entra user account's email matches that in your Google Workspace.
 
 1. Select **Finish**
 
@@ -73,7 +73,7 @@ Now that the app is configured, you must enable it for the users in Google Works
 ## Configure Microsoft Entra ID as a Service Provider (SP) for Google Workspace
 
 The configuration of Microsoft Entra ID consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
-Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with the *Global Administrator* role.
+Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, sign in as at least a [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator)
 
 ```powershell
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

education/windows/use-set-up-school-pcs-app.md

@@ -7,7 +7,7 @@ appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Use the Set up School PCs app  
+# Use the Set up School PCs app
 
 IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune.
 
@@ -16,20 +16,20 @@ With Set up School PCs you can:
 - Joins student devices to your organization's Microsoft Entra tenant
 - Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state
 - Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time
-- Lock down student devices to prevent activity that aren't beneficial to their education  
+- Lock down student devices to prevent activity that aren't beneficial to their education
 
-This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).  
+This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
 
 ## Requirements
 
 Before you begin, make sure that your devices and your school's network are configured with the following requirements:
 
 - Microsoft Entra ID and Microsoft 365 licenses
-- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40)  
+- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40)
 - A NTFS-formatted USB drive that is at least 1 GB
 - Student devices must either:
   - Be within range of the Wi-Fi network that you configured in the app
-  - Have a wired Ethernet connection when you set them up  
+  - Have a wired Ethernet connection when you set them up
 
 ### Prepare existing PC account for new setup
 
@@ -46,7 +46,7 @@ Alternatively, you can also select **Start** > **Power** icon. Hold down <kbd>Sh
 
 1. Select **Troubleshoot** > **Reset this PC**
 1. Select **Remove everything**
-1. If the option appears, select **Only the drive where Windows is installed**  
+1. If the option appears, select **Only the drive where Windows is installed**
 1. Select **Just remove my files**
 1. Select **Reset**
 
@@ -58,20 +58,20 @@ This section offers recommendations to prepare you for the best possible setup e
 
 We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices.
 
-### Student devices must meet OS requirements for the app  
+### Student devices must meet OS requirements for the app
 
-Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices.  
+Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices.
 
 To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**.
 
-### Use app on a PC that is connected to your school's network  
+### Use app on a PC that is connected to your school's network
 
 We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually.
 
->[!NOTE]  
+>[!NOTE]
 >Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use.
 
-### Run app on an open network or network that requires a basic password  
+### Run app on an open network or network that requires a basic password
 
 Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
 
@@ -87,57 +87,57 @@ We recommend that you:
 
 To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
 
-### Limit changes to school-optimized settings  
+### Limit changes to school-optimized settings
 
-We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in.  
+We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in.
 
-## Create the provisioning package  
+## Create the provisioning package
 
 The **Set up School PCs** app guides you through the configuration choices for the student PCs.  To begin, open the app on your device and select **Get started**.
 
-![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)  
+![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)
 
 ### Package name
 
-Type a unique name to help distinguish your school's provisioning packages. The name appears:  
+Type a unique name to help distinguish your school's provisioning packages. The name appears:
 
 - On the local package folder
 - In your tenant's Microsoft Entra account in the Azure portal
 
-A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package.  
+A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package.
 
-  ![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png)  
+  ![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png)
 
-After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.  
+After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
 
-To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.  
+To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. You can access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator), and rename the package there.
 
-### Sign in  
+### Sign in
 
 1. Select how you want to sign in
-    1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3  
+    1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3
     1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network)
-1. In the new window, select the account you want to use throughout setup.  
+1. In the new window, select the account you want to use throughout setup.
 
-    ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png)  
+    ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png)
 
-    To add an account not listed:  
+    To add an account not listed:
-    1. Select **Work or school account** > **Continue**.  
+    1. Select **Work or school account** > **Continue**.
-    1. Type in the account username and select **Next**.  
+    1. Type in the account username and select **Next**.
-    1. Verify the user account and password, if prompted.  
+    1. Verify the user account and password, if prompted.
 
 1. Select **Accept** to allow Set up School PCs to access your account throughout setup
 1. When your account name appears on the page, select **Next**
 
-      ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png)  
+      ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png)
 
 ### Wireless network
 
-Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.  
+Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
 
-Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next**  
+Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next**
 
- ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png)  
+ ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png)
 
 ### Device names
 
@@ -147,17 +147,17 @@ To make sure all device names are unique, Set up School PCs automatically append
 
 To keep the default name for your devices, select **Continue with existing names**.
 
-  !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png)  
+  !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png)
 
 ### Settings
 
 Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs.
 
-![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png)  
+![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png)
 
 Setting selections vary based on the OS version you select.
 
-![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png)  
+![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png)
 
 The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
 
@@ -172,20 +172,20 @@ The following table describes each setting and lists the applicable Windows 10 v
 
 After you've made your selections, select **Next**.
 
-### Time zone  
+### Time zone
 
 > [!WARNING]
 > If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error.
 
-Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**.  
+Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**.
 
-![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png)  
+![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png)
 
 ### Product key
 
 Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**.
 
-![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png)  
+![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png)
 
 ### Take a Test
 
@@ -195,7 +195,7 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D
 
     ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png)
 
-1. Select from the advanced settings. Available settings include:  
+1. Select from the advanced settings. Available settings include:
     - Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard
     - Allow teachers to monitor online tests: Enables screen capture in the Take a Test app
 1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment
@@ -203,11 +203,11 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D
 
 ### Personalization
 
-Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.  
+Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
 
-If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images.  
+If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images.
 
-![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)  
+![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)
 
 ### Summary
 
@@ -216,7 +216,7 @@ Review all of the settings for accuracy and completeness
 1. To make changes now, select any page along the left side of the window
 2. When finished, select **Accept**
 
-![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)  
+![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)
 
 > [!NOTE]
 > To make changes to a saved package, you have to start over.
@@ -230,34 +230,34 @@ Review all of the settings for accuracy and completeness
 
 1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next**
 
-![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)  
+![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)
 
 ## Run package - Get PCs ready
 
 Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**.
 
-![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)  
+![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)
 
 ## Run package - Install package on PC
 
 The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device.
 
-When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school.  
+When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school.
 
 > [!IMPORTANT]
-> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).  
+> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
 
 1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**
 
     ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png)
-  
+
 1. Insert the USB drive. Windows automatically recognizes and installs the package
 
     ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png)
 
 1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one
 
-     ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)  
+     ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)
 
 1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required
 

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -65,11 +65,10 @@ If your organization restricts computers on your network from connecting to the
 - `account.live.com`
 - `clientconfig.passport.net`
 - `windowsphone.com`
-- `\*.wns.windows.com`
+- `*.wns.windows.com`
-- `\*.microsoft.com`
+- `*.microsoft.com`
-- `\*.s-microsoft.com`
+- `*.s-microsoft.com`
 - `www.msftncsi.com` (prior to Windows 10, version 1607)
-- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com`
+- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com` starting with Windows 10, version 1607)
-  starting with Windows 10, version 1607)
  
 Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.

windows/client-management/client-tools/quick-assist.md

@@ -20,7 +20,7 @@ Quick Assist is an application that enables a person to share their [Windows](#i
 
 ## Before you begin
 
-All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
+All you need to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
 
 ### Authentication
 
@@ -99,29 +99,13 @@ In some scenarios, the helper does require the sharer to respond to application
 ### Install Quick Assist from the Microsoft Store
 
 1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
-1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**.</br> :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
+1. In the Microsoft Store, select **View in store**, then install Quick Assist. When the installation is complete, **Install** changes to **Open**.
 
 For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
 
 ### Install Quick Assist with Intune
 
-Before installing Quick Assist, you need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
+To deploy Quick Assist with Intune, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
-
-1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
-1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
-1. Select **Manage** / **Settings** and enable **Show offline apps**.
-1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You might need to use the **+Add management tool** link if it's not.
-1. Search for **Quick Assist** and select it from the Search results.
-1. Choose the **Offline** license and select **Get the app**
-1. In the Intune admin center, choose **Sync**.
-1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
-1. Select it to view its properties.
-1. By default, the app isn't assigned to any user or device, select the **Edit** link. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
-
-> [!NOTE]
-> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context.
-
-Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information.
 
 ### Install Quick Assist Offline
 
@@ -129,7 +113,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
 
 1. Start **Windows PowerShell** with Administrative privileges
 1. In PowerShell, change the directory to the location where you saved the file in step 1: `cd <location of package file>`
-1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
+1. To install Quick Assist, run the following command: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
 1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
 
 ### Microsoft Edge WebView2

windows/client-management/wmi-providers-supported-in-windows.md

@@ -76,7 +76,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 | [**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)        | Yes                          |
 | [**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)                         | Yes                          |
 | [**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)             | Yes                          |
-| [**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)           | Yes                          |
+| [**MSFT_NetFirewallProfile**](/windows/win32/fwp/wmi/wfascimprov/msft-netfirewallprofile)                       | Yes                          |
 | [**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)                 | Yes                          |
 | [**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)              |                              |
 | [**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice)              |                              |

windows/configuration/assigned-access/xsd.md

@@ -259,7 +259,7 @@ Here's the Assigned Access XSD for the features added in Windows 11, version 21H
 
 ## Windows 10, version 1909 additions
 
-Here's the Assigned Access XSD for the features added in Windows 10, version 1909:
+Here are the Assigned Access XSDs for the features added in Windows 10, version 1909:
 
 ```xml
 <xs:schema
@@ -292,6 +292,33 @@ Here's the Assigned Access XSD for the features added in Windows 10, version 190
 </xs:schema>
 ```
 
+```xml
+<xs:schema
+    elementFormDefault="qualified"
+    xmlns:xs="http://www.w3.org/2001/XMLSchema"
+    xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
+    vc:minVersion="1.1"
+    xmlns="http://schemas.microsoft.com/AssignedAccess/202010/config"
+    xmlns:default="http://schemas.microsoft.com/AssignedAccess/202010/config"
+    targetNamespace="http://schemas.microsoft.com/AssignedAccess/202010/config"
+    >
+
+    <xs:complexType name="deviceOwnerGroup_t">
+        <xs:attribute name="Name" type="xs:string" fixed="DeviceOwner" />
+    </xs:complexType>
+
+    <xs:complexType name="exclusion_t">
+            <xs:sequence minOccurs="1" maxOccurs="1">
+                <xs:choice>
+                   <xs:element name="SpecialGroup" type="deviceOwnerGroup_t" minOccurs="1" maxOccurs="1" />
+                </xs:choice>
+            </xs:sequence>
+    </xs:complexType>
+
+    <xs:element name="Exclusions" type="exclusion_t" />
+</xs:schema>
+```
+
 ## Windows 10, version 1809 additions
 
 Here's the Assigned Access XSD for the features added in Windows 10, version 1809:
@@ -331,4 +358,4 @@ Here's the Assigned Access XSD for the features added in Windows 10, version 180
     <xs:attribute name="AutoLaunchArguments" type="xs:string"/>
     <xs:attribute name="DisplayName" type="xs:string"/>
 </xs:schema>
-```
+```

windows/configuration/provisioning-packages/diagnose-provisioning-packages.md

@@ -1,7 +1,7 @@
 ---
 title: Diagnose Provisioning Packages
 description: Diagnose general failures in provisioning.
-ms.topic: article
+ms.topic: troubleshooting
 ms.date: 01/18/2023
 ---
 

windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md

@@ -1,7 +1,7 @@
 ---
 title: Configuration service providers for IT pros
 description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md

@@ -1,7 +1,7 @@
 ---
 title: Provision PCs with common settings
 description: Create a provisioning package to apply common settings to a PC running Windows 10.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provision-pcs-with-apps.md

@@ -1,7 +1,7 @@
 ---
 title: Provision PCs with apps
 description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-apply-package.md

@@ -1,7 +1,7 @@
 ---
 title: Apply a provisioning package
 description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime).
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-command-line.md

@@ -1,13 +1,13 @@
 ---
-title: Windows Configuration Designer command-line interface
+title: Windows Configuration Designer command line interface
-description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
+description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command line interface for Windows10/11 client devices.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 
-# Windows Configuration Designer command-line interface (reference)
+# Windows Configuration Designer command line interface (reference)
 
-You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages.
+You can use the Windows Configuration Designer command line interface (CLI) to automate the building of provisioning packages.
 
 - IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
 
@@ -30,10 +30,10 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML:<path_to_xml> /PackagePath:
 | --- | --- | --- |
 | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. |
 | /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
-| /StoreFile | No</br></br></br>See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.</br></br></br>**Important**  If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
+| /StoreFile | No</br></br></br>See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions is loaded by Windows Configuration Designer.</br></br></br>**Important**  If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
 | /Variables | No | Specifies a semicolon separated `<name>` and `<value>` macro pair. The format for the argument must be `<name>=<value>`. |
-| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output.</br></br></br>Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. |
+| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output. <br></br>Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. |
-| Overwrite | No | Denotes whether to overwrite an existing provisioning package.</br></br></br>Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
+| Overwrite | No | Denotes whether to overwrite an existing provisioning package. </br></br>Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
 | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
 
 

windows/configuration/provisioning-packages/provisioning-create-package.md

@@ -1,7 +1,7 @@
 ---
 title: Create a provisioning package
 description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-how-it-works.md

@@ -1,7 +1,7 @@
 ---
 title: How provisioning works in Windows 10/11
 description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
-ms.topic: article
+ms.topic: conceptual
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-install-icd.md

@@ -1,7 +1,7 @@
 ---
 title: Install Windows Configuration Designer
 description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
-ms.topic: article
+ms.topic: how-to
 ms.reviewer: kevinsheehan
 ms.date: 12/31/2017
 ---

windows/configuration/provisioning-packages/provisioning-multivariant.md

@@ -1,7 +1,7 @@
 ---
 title: Create a provisioning package with multivariant settings
 description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-packages.md

@@ -2,7 +2,7 @@
 title: Provisioning packages overview
 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
 ms.reviewer: kevinsheehan
-ms.topic: article
+ms.topic: conceptual
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-powershell.md

@@ -1,7 +1,7 @@
 ---
 title: PowerShell cmdlets for provisioning Windows 10/11
 description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
-ms.topic: article
+ms.topic: conceptual
 
 ms.date: 12/31/2017
 ---

windows/configuration/provisioning-packages/provisioning-script-to-install-app.md

@@ -1,7 +1,7 @@
 ---
 title: Use a script to install a desktop app in provisioning packages
 description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-ms.topic: article
+ms.topic: how-to
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-uninstall-package.md

@@ -1,7 +1,7 @@
 ---
 title: Uninstall a provisioning package - reverted settings
 description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices.
-ms.topic: article
+ms.topic: conceptual
 ms.date: 12/31/2017
 ---
 

windows/configuration/start/layout.md

@@ -649,45 +649,3 @@ When you configure the Start layout with policy settings, you overwrite the enti
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
 [PS-1]: /powershell/module/startlayout/export-startlayout
 [WIN-1]: /windows/client-management/mdm/policy-csp-start
-
-
-<!--
-## Add image for secondary Microsoft Edge tiles
-
-App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include:
-
-- Weather updates for a specific city in a weather app
-- A summary of upcoming events in a calendar app
-- Status and updates from an important contact in a social app
-- A website in Microsoft Edge
-
-By using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles display the same as they did on the device from which you exported the Start layout.
-
-[!INCLUDE [example-secondary-tiles](includes/example-secondary-tiles.md)]
-
-## Export Start layout and assets
-
-1. If you'd like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
-   - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
-
-   - Open `C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
-
-1. In Windows PowerShell, enter the following command:
-
-    ```powershell
-    Export-StartLayoutEdgeAssets assets.xml
-    ```
-
-[!INCLUDE [example-assets](includes/example-assets.md)]
-
-## Configure policy settings
-
-Prepare the Start layout and Edge assets XML files
-
-The `Export-StartLayout` and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
-
-1. Copy the contents of layout.xml into an online tool that escapes characters.
-1. Copy the contents of assets.xml into an online tool that escapes characters.
-1. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project.
-
--->

windows/configuration/taskbar/includes/allow-widgets.md

@@ -15,4 +15,4 @@ This policy specifies whether the widgets feature is allowed on the device.
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/`[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) |
-| **GPO** | **Computer Configuration**  > **Administrative Templates** > **Windows Components** > **Widgets** |
+| **GPO** | - **Computer Configuration**  > **Administrative Templates** > **Windows Components** > **Widgets** |

windows/configuration/taskbar/includes/configure-start-layout.md

@@ -13,7 +13,7 @@ This policy setting lets you specify the applications pinned to the taskbar. The
 
 |  | Path |
 |--|--|
-| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout)<br><br>- `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) |
+| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout)<br>- `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) |
-| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br> **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br>- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
 
 For more information, see [Customize the taskbar pinned applications](../pinned-apps.md).

windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md

@@ -18,4 +18,4 @@ This policy setting allows you to configure search on the taskbar.
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Search/`[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) |
-| **GPO** | **Computer Configuration**  > **Windows Components** > **Search** |
+| **GPO** | - **Computer Configuration**  > **Windows Components** > **Search** |

windows/configuration/taskbar/includes/disable-editing-quick-settings.md

@@ -13,4 +13,4 @@ ms.topic: include
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[DisableEditingQuickSettings](/windows/client-management/mdm/policy-csp-start#disableeditingquicksettings)|
-| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Disable editing quick settings** |
+| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Disable editing quick settings** |

windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md

@@ -15,4 +15,4 @@ With this policy setting you control the pinning of items in Jump Lists.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md

@@ -15,4 +15,4 @@ This policy setting allows you to control pinning programs to the Taskbar.
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md

@@ -15,4 +15,4 @@ This policy setting allows you to control pinning the Store app to the Taskbar.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md

@@ -12,4 +12,4 @@ This policy setting allows you to prevent taskbars from being displayed on more
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md

@@ -18,4 +18,4 @@ This policy setting allows you to control displaying or tracking items in Jump L
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/hide-recent-jumplists.md

@@ -19,5 +19,5 @@ Prevents the operating system and installed programs from creating and displayin
 
 |  | Path |
 |--|--|
-| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)<br><br>- `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) |
+| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)<br>- `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) |
-| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**<br><br> **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**|
+| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**<br>- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**|

windows/configuration/taskbar/includes/hide-the-notification-area.md

@@ -12,4 +12,4 @@ This setting affects the notification area (previously called the "system tray")
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/hide-the-taskview-button.md

@@ -11,5 +11,5 @@ This policy setting allows you to hide the TaskView button. If you enable this p
 
 |  | Path |
 |--|--|
-| **CSP** |- `./Device/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) <br><br>- `./User/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) |
+| **CSP** |- `./Device/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) <br>- `./User/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) |
-| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/lock-all-taskbar-settings.md

@@ -15,4 +15,4 @@ With this policy setting you lock all taskbar settings.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/lock-the-taskbar.md

@@ -12,4 +12,4 @@ This setting affects the taskbar, which is used to switch between running applic
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md

@@ -15,4 +15,4 @@ With this policy setting you prevent changes to taskbar and Start settings.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md

@@ -15,4 +15,4 @@ Taskbar grouping consolidates similar applications when there's no room on the t
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md

@@ -15,4 +15,4 @@ With this policy setting you prevent users from adding or removing toolbars.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md

@@ -15,4 +15,4 @@ With this policy setting you prevent users from moving taskbar to another screen
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md

@@ -15,4 +15,4 @@ With this policy setting you prevent users from rearranging toolbars.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md

@@ -15,4 +15,4 @@ With this policy setting you prevent users from resizing the taskbar.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md

@@ -17,4 +17,4 @@ This policy setting doesn't prevent users from using other methods to issue the
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md

@@ -13,4 +13,4 @@ ms.topic: include
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-notifications-and-action-center.md

@@ -17,4 +17,4 @@ The notification area is located at the far right end of the taskbar, and includ
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md

@@ -15,4 +15,4 @@ This policy setting allows you to remove pinned programs from the taskbar.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-quick-settings.md

@@ -17,4 +17,4 @@ If this setting is enabled, Quick Settings isn't displayed in the Quick Settings
 |  | Path |
 |--|--|
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[DisableControlCenter](/windows/client-management/mdm/policy-csp-start#disablecontrolcenter) |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-the-battery-meter.md

@@ -15,4 +15,4 @@ With this policy setting you can remove the battery meter from the system contro
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-the-meet-now-icon.md

@@ -15,4 +15,4 @@ With this policy setting allows you can remove the Meet Now icon from the system
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-the-networking-icon.md

@@ -15,4 +15,4 @@ With this policy setting you can remove the networking icon from the system cont
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md

@@ -12,4 +12,4 @@ With this policy allows you can remove the People Bar from the taskbar and disab
 |  | Path |
 |--|--|
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/remove-the-volume-control-icon.md

@@ -15,4 +15,4 @@ With this policy setting you can remove the volume control icon from the system
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/show-additional-calendar.md

@@ -19,4 +19,4 @@ By default, the calendar is set according to the locale of the operating system,
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/simplify-quick-settings-layout.md

@@ -13,4 +13,4 @@ ms.topic: include
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[SimplifyQuickSettings](/windows/client-management/mdm/policy-csp-start#simplifyquicksettings) |
-| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md

@@ -15,4 +15,4 @@ With this policy setting you can turn off automatic promotion of notification ic
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md

@@ -18,4 +18,4 @@ This setting determines whether the items are always expanded or always collapse
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

windows/configuration/taskbar/pinned-apps.md

@@ -231,3 +231,7 @@ If you apply the taskbar configuration to a clean install or an update, users ca
 Learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO):
 
 - [Taskbar policy settings](policy-settings.md)
+
+---
+[WIN-1]: /windows/client-management/mdm/policy-csp-start
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -77,11 +77,12 @@ sections:
     questions:
       - question: Which ports does Delivery Optimization use?
         answer: | 
-          Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
+          Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound and outbound TCP traffic through your firewall. If you don't allow traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download updates by using HTTP over port 80 (or HTTPS over port 443 where applicable).
 
-          Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
+          If you set the "Download Mode" policy to "Group (2)" or "Internet (3)", Teredo will be used by Delivery Optimization to connect to peer devices across NATs. You must allow inbound and outbound UDP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
 
-          Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
+          Delivery Optimization also communicates with its cloud service by using HTTPS over port 443.
+          
       - question: What are the requirements if I use a proxy?
         answer: |
           For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -96,7 +96,7 @@ More options available that control the impact Delivery Optimization has on your
 
 #### Policies to prioritize the use of peer-to-peer and cache server sources
 
-When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
+When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fall back to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
 
 ##### Peer-to-peer delay fallback settings
 

windows/deployment/update/check-release-health.md

@@ -13,7 +13,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 04/04/2024
+ms.date: 06/04/2024
 ---
 
 # How to check Windows release health
@@ -33,7 +33,7 @@ Ensure the following prerequisites are met to display the Windows release health
    - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
 
 - Sign into the Microsoft 365 admin center using an [admin role](/microsoft-365/admin/add-users/about-admin-roles).
-   - Most roles containing the word `administrator` give you access to the Windows release health page such as [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator), and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
+   - Most roles containing the word `administrator` give you access to the Windows release health page such as [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator) and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
 
 > [!NOTE]
 > Currently, Windows release health is available for Government Community Cloud (GCC) tenants, but isn't available for GCC High and DoD. <!--8337541-->

windows/deployment/update/includes/wufb-deployment-limitations.md

@@ -10,4 +10,6 @@ ms.localizationpriority: medium
 ---
 <!--This file is shared by deployment-service-overview.md and the deployment-service-prerequisites.md articles. Headings may be driven by article context. 7512398 -->
 
-Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.
+Windows Update for Business deployment service is a Windows service hosted in Azure Commercial that uses Windows diagnostic data. While customers with GCC tenants may choose to use it, the Windows Update for Business deployment service is outside the [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) boundary. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
+
+Windows Update for Business deployment service isn't available in Azure Government for [Office 365 GCC High and DoD](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc-high-and-dod) tenants.

windows/deployment/update/includes/wufb-reports-admin-center-permissions.md

@@ -19,7 +19,6 @@ Accessing Windows Update for Business reports typcially requires permissions fro
 
 To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Microsoft Entra role
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Microsoft Entra role
 - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Microsoft Entra role
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role

windows/deployment/update/release-cycle.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 05/19/2023
+ms.date: 06/04/2024
 ---
 
 # Update release cycle for Windows clients
@@ -56,18 +56,15 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
 
 ## Optional nonsecurity preview release
 
-**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
+**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
 
 **Optional nonsecurity preview releases** might commonly be referred to as:
 
-- C or D week releases (meaning the third or fourth week of the month)
+- D week releases (meaning the fourth week of the month)
 - Preview updates
 - Preview CU
 - LCU preview
 
-> [!Important]
-> Starting in April 2023, all **optional nonsecurity preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
-
 To access the optional nonsecurity preview release:
 - Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. 
 - Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
@@ -77,7 +74,7 @@ To access the optional nonsecurity preview release:
 
 **Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
 
-Some key considerations about OOB releases include: 
+Some key considerations about OOB releases include:
 
 - OOB releases are always cumulative. 
   - OOB releases supersede any prior monthly security update and optional nonsecurity preview release. 

windows/deployment/update/update-other-microsoft-products.md

@@ -11,7 +11,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 03/14/2024
+ms.date: 06/07/2024
 ---
 
 # Update other Microsoft products
@@ -44,6 +44,7 @@ The following is a list of other Microsoft products that might be updated:
 - Microsoft Advanced Threat Analytics
 - Microsoft Application Virtualization
 - Microsoft Azure StorSimple
+- Microsoft Configuration Manager
 - Microsoft Dynamics CRM
 - Microsoft Information Protection
 - Microsoft Lync Server and Microsoft Lync
@@ -59,7 +60,6 @@ The following is a list of other Microsoft products that might be updated:
 - Skype for Business
 - SQL
 - System Center Application Controller
-- System Center Configuration Manager
 - System Center Data Protection Manager
 - System Center Operations Manager
 - System Center Orchestrator

windows/deployment/update/wufb-reports-prerequisites.md

@@ -11,7 +11,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 05/07/2024
+ms.date: 06/04/2024
 ---
 
 # Windows Update for Business reports prerequisites
@@ -50,9 +50,11 @@ Windows Update for Business reports supports Windows client devices on the follo
 - General Availability Channel
 - Windows Update for Business reports *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
 
-### Windows operating system updates
+## Windows operating system updates for client devices
 
-For [changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended.
+Installing the February 2023 cumulative update, or a later equivalent update, is required for clients to enroll into Windows Update for Business reports. This update helped enable [changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), which Windows Update for Business reports relies on. 
+
+For more information about available updates, see [Windows 11 release information](/windows/release-health/windows11-release-information) and [Windows 10 release information](/windows/release-health/release-information). 
 
 ## Diagnostic data requirements
 

windows/deployment/update/wufb-wsus.md

@@ -46,7 +46,7 @@ To help you better understand the scan source policy, see the default scan behav
   - On Windows 10: All of your updates will come from WSUS.
   - On Windows 11: All of your updates will still come from WSUS unless you configure the specify scan source policy.
 
-- If you configure a WSUS server and deferral policies: All of your updates will come from Windows Update unless you specify the scan source policy.
+- If you configure a WSUS server and deferral policies on Windows 10: All of your updates will come from Windows Update unless you specify the scan source policy or have disabled dual scan.
 - If you configure a WSUS server and the scan source policy: All of your updates will come from the source chosen in the scan source policy.
 
 > [!TIP]

windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md

@@ -6,7 +6,7 @@ author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.date: 03/26/2024
-ms.topic: article
+ms.topic: conceptual
 appliesto:
 - ✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>
 - ✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>

windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md

@@ -3,7 +3,7 @@ title: Testing and Debugging AppId Tagging Policies
 description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
 ms.localizationpriority: medium
 ms.date: 04/29/2022
-ms.topic: article
+ms.topic: troubleshooting
 ---
 
 # Testing and Debugging AppId Tagging Policies
@@ -11,28 +11,28 @@ ms.topic: article
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
 
-After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. 
+After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
 
 ## Verifying Tags on Running Processes
 
-After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed. 
+After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed.
 
-1. Download and Install the Windows Debugger 
+1. Download and Install the Windows Debugger
 
-	[Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes. 
+    [Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes.
 
 2. Get the Process ID (PID) of the process under validation
 
-	Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, we've located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step. 
+    Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, we've located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step.
 
-	![Using Task Manager to locate the process ID - PID.](../images/appid-pid-task-mgr.png)
+    ![Using Task Manager to locate the process ID - PID.](../images/appid-pid-task-mgr.png)
 
 3. Use WinDbg to inspect the process
 
-	After opening WinDbg. select File followed by `Attach to Process`, and select the process with the PID identified in the step prior. Finally, select `Attach` to connect to the process. 
+    After opening WinDbg. select File followed by `Attach to Process`, and select the process with the PID identified in the step prior. Finally, select `Attach` to connect to the process.
 
-	![Attach to the process using WinDbg.](../images/appid-pid-windbg.png)
+    ![Attach to the process using WinDbg.](../images/appid-pid-windbg.png)
 
-	Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
+    Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
 
-	![Dump the security attributes on the process using WinDbg.](../images/appid-pid-windbg-token.png)
+    ![Dump the security attributes on the process using WinDbg.](../images/appid-pid-windbg-token.png)

windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md

@@ -3,7 +3,7 @@ title: Deploying Windows Defender Application Control AppId tagging policies
 description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
 ms.localizationpriority: medium
 ms.date: 04/29/2022
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Deploying Windows Defender Application Control AppId tagging policies

windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md

@@ -3,7 +3,7 @@ title: Create your Windows Defender Application Control AppId Tagging Policies
 description: Create your Windows Defender Application Control AppId tagging policies for Windows devices.
 ms.localizationpriority: medium
 ms.date: 04/29/2022
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Creating your WDAC AppId Tagging Policies
@@ -17,12 +17,12 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
 
 1. Create a new base policy using the templates:
 
-	Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules. 
+	Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
 
 	![Configuring the policy base and template.](../images/appid-wdac-wizard-1.png)
-	
+
 	> [!NOTE]
-	> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. 
+	> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates.
 	For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
 
 2. 	Set the following rule-options using the Wizard toggles:
@@ -31,13 +31,13 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
 
 3. Create custom rules:
 
-	Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules: 
+	Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
 
-	- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security. 
+	- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
-	- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards. 
+	- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
 	- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
 	- Package app name rules: Create a rule based off the package family name of an appx/msix.
-	- Hash rules: Create a rule based off the PE Authenticode hash of a file. 
+	- Hash rules: Create a rule based off the PE Authenticode hash of a file.
 
 	For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/wdac-wizard-create-base-policy.md#creating-custom-file-rules).
 
@@ -48,9 +48,9 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
 	```powershell
 	Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
 	```
-	The policyID GUID is returned by the PowerShell command if successful. 
+	The policyID GUID is returned by the PowerShell command if successful.
 
-## Create the policy using PowerShell 
+## Create the policy using PowerShell
 
 Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md). In an elevate PowerShell instance:
 
@@ -72,20 +72,20 @@ Using this method, you create an AppId Tagging policy directly using the WDAC Po
 	Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
 	```
 
-	If you're using filepath rules, you may want to set option 18. Otherwise, there's no need. 
+	If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
-	
+
 4. Set the name and ID on the policy, which is helpful for future debugging:
 
 	```powershell
 	Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
 	```
-	The policyID GUID is returned by the PowerShell command if successful. 
+	The policyID GUID is returned by the PowerShell command if successful.
 
 ## Deploy for Local Testing
 
 After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
 
-1. Depending on your deployment method, convert the xml to binary: 
+1. Depending on your deployment method, convert the xml to binary:
 
 	```powershell
 	Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"

windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md

@@ -1,9 +1,9 @@
 ---
-title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies
+title: Designing, creating, managing, and troubleshooting Windows Defender Application Control AppId Tagging policies
-description: How to design, create, manage and troubleshoot your WDAC AppId Tagging policies
+description: How to design, create, manage, and troubleshoot your WDAC AppId Tagging policies
 ms.localizationpriority: medium
 ms.date: 04/27/2022
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # WDAC Application ID (AppId) Tagging guide
@@ -13,23 +13,23 @@ ms.topic: article
 
 ## AppId Tagging Feature Overview
 
-The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't. 
+The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
 
 ## AppId Tagging Feature Availability
 
-The WDAC AppId Tagging feature is available on the following versions of the Windows platform: 
+The WDAC AppId Tagging feature is available on the following versions of the Windows platform:
 
-Client: 
+Client:
-- Windows 10 20H1, 20H2 and 21H1 versions only
+- Windows 10 20H1, 20H2, and 21H1 versions only
 - Windows 11
 
-Server: 
+Server:
 - Windows Server 2022
 
 ## In this section
 
-| Topic | Description |
+| article | Description |
 | - | - |
-| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
+| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This article covers how to design and create AppId Tagging policies. |
-| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
+| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This article covers how to deploy AppId Tagging policies. |
-| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |
+| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This article covers how to debug and view events from AppId Tagging policies. |

windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md

@@ -6,7 +6,7 @@ ms.collection:
 - must-keep
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 12/23/2023
+ms.date: 06/07/2024
 ---
 
 # AppLocker rule collection extensions
@@ -35,4 +35,4 @@ To apply AppLocker policy to nonuser processes, set ``<Services EnforcementMode=
 
 ## System apps
 
-When using AppLocker to control nonuser processes, your policy must allow all Windows system code or your device night behave unexpectedly. To automatically allow all system code that is part of Windows, set ``<SystemApps Allow="Enabled"/>`` in the ``<RedstoneExtensions>`` section as shown in the preceding XML fragment.
+When using AppLocker to control nonuser processes, your policy must allow all Windows system code or your device might behave unexpectedly. To automatically allow all system code that is part of Windows, set ``<SystemApps Allow="Enabled"/>`` in the ``<RedstoneExtensions>`` section as shown in the preceding XML fragment.

windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md

@@ -3,7 +3,7 @@ title: Use audit events to create WDAC policy rules
 description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
 ms.localizationpriority: medium
 ms.date: 05/03/2018
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Use audit events to create WDAC policy rules

windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md

@@ -3,7 +3,7 @@ title: Deploy WDAC policies via Group Policy
 description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
 ms.localizationpriority: medium
 ms.date: 01/23/2023
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Deploy Windows Defender Application Control policies by using Group Policy

windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md

@@ -3,7 +3,7 @@ title: Deploy Windows Defender Application Control (WDAC) policies using script
 description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide.
 ms.manager: jsuther
 ms.date: 01/23/2023
-ms.topic: article
+ms.topic: how-to
 ms.localizationpriority: medium
 ---
 

windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md

@@ -3,7 +3,7 @@ title: Remove Windows Defender Application Control policies
 description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
 ms.localizationpriority: medium
 ms.date: 11/04/2022
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Remove Windows Defender Application Control (WDAC) policies

windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md

@@ -3,7 +3,7 @@ title: Enforce Windows Defender Application Control (WDAC) policies
 description: Learn how to switch a WDAC policy from audit to enforced mode.
 ms.manager: jsuther
 ms.date: 04/22/2021
-ms.topic: article
+ms.topic: how-to
 ms.localizationpriority: medium
 ---
 

windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md

@@ -3,7 +3,7 @@ title: Merge Windows Defender Application Control policies (WDAC)
 description: Learn how to merge WDAC policies as part of your policy lifecycle management.
 ms.manager: jsuther
 ms.date: 04/22/2021
-ms.topic: article
+ms.topic: how-to
 ms.localizationpriority: medium
 ---
 

windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md

@@ -3,7 +3,7 @@ title: Allow COM object registration in a WDAC policy
 description: You can allow COM object registration in a Windows Defender Application Control policy.
 ms.localizationpriority: medium
 ms.date: 04/05/2023
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Allow COM object registration in a Windows Defender Application Control policy
@@ -153,11 +153,11 @@ The table that follows describes the list of COM objects that are inherently tru
 | scrrun.dll | 0D43FE01-F093-11CF-8940-00A0C9054228 |
 | vbscript.dll | 3F4DACA4-160D-11D2-A8E9-00104B365C9F |
 | WEX.Logger.Log | 70B46225-C474-4852-BB81-48E0D36F9A5A |
-| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a | 
+| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a |
 | TE.Common.RuntimeParameters | 9f3d4048-6028-4c5b-a92d-01bc977af600 |
 | TE.Common.Verify | e72cbabf-8e48-4d27-b14e-1f347f6ec71a |
 | TE.Common.Interruption | 5850ba6f-ce72-46d4-a29b-0d3d9f08cc0b |
-| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 | 
+| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 |
 | msxml6.dll | ED8C108E-4349-11D2-91A4-00C04F7969E8 |
 | mmcndmgr.dll | ADE6444B-C91F-4E37-92A4-5BB430A33340 |
 | puiobj.dll | B021FF57-A928-459C-9D6C-14DED0C9BED2 |

windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md

@@ -3,7 +3,7 @@ title: Policy creation for common WDAC usage scenarios
 description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
 ms.localizationpriority: medium
 ms.date: 04/05/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Windows Defender Application Control deployment in different scenarios: types of devices
@@ -15,7 +15,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
 
 ## Types of devices
 
-|  Type of device                 | How WDAC relates to this type of device  | 
+|  Type of device                 | How WDAC relates to this type of device  |
 |------------------------------------|------------------------------------------------------|
 | **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
 | **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request for more software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves more applications, it updates the WDAC policy and (for unsigned LOB applications) the catalog. |

windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md

@@ -3,7 +3,7 @@ title: Allow apps deployed with a WDAC managed installer
 description: Explains how to configure a custom Managed Installer.
 ms.localizationpriority: medium
 ms.date: 02/02/2023
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Automatically allow apps deployed by a managed installer with Windows Defender Application Control
@@ -78,7 +78,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
     ```
 
 3. Manually edit your AppLocker policy and add the EXE and DLL rule collections with at least one rule for each. To ensure your policy can be safely applied on systems that may already have an active AppLocker policy, we recommend using a benign DENY rule to block a fake binary and set the rule collection's EnforcementMode to AuditOnly. Additionally, since many installation processes rely on services, you need to enable services tracking for each of those rule collections. The following example shows a partial AppLocker policy with the EXE and DLL rule collection configured as recommended.
-  
+
     ```xml
     <RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
       <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Benign DENY Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
@@ -147,7 +147,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
         </RuleCollectionExtensions>
       </RuleCollection>
       <RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
-        <FilePublisherRule Id="55932f09-04b8-44ec-8e2d-3fc736500c56" Name="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE version 1.39.200.2 or greater in MICROSOFT® INTUNE™ from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
+        <FilePublisherRule Id="55932f09-04b8-44ec-8e2d-3fc736500c56" Name="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE version 1.39.200.2 or greater in MICROSOFT&reg; INTUNE&trade; from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
           <Conditions>
               <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE">
                 <BinaryVersionRange LowSection="1.39.200.2" HighSection="*" />
@@ -183,7 +183,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
     ```console
     appidtel.exe start [-mionly]
     ```
-  
+
     Specify "-mionly" if you don't plan to use the Intelligent Security Graph (ISG).
 
 > [!NOTE]

windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md

@@ -3,7 +3,7 @@ title: Create WDAC Deny Policy
 description: Explains how to create WDAC deny policies
 ms.localizationpriority: medium
 ms.date: 12/31/2017
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Guidance on Creating WDAC Deny Policies

windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md

@@ -3,7 +3,7 @@ title: Create a WDAC policy using a reference computer
 description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide.
 ms.localizationpriority: medium
 ms.date: 08/08/2022
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Create a WDAC policy using a reference computer

windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md

@@ -3,7 +3,7 @@ title: Use multiple Windows Defender Application Control Policies
 description: Windows Defender Application Control supports multiple code integrity policies for one device.
 ms.localizationpriority: medium
 ms.date: 04/15/2024
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Use multiple Windows Defender Application Control Policies

windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md

@@ -3,7 +3,7 @@ title: Manage packaged apps with WDAC
 description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule.
 ms.localizationpriority: medium
 ms.date: 03/01/2023
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Manage Packaged Apps with Windows Defender Application Control

windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md

@@ -6,7 +6,7 @@ ms.collection:
 - tier3
 - must-keep
 ms.date: 01/24/2024
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Microsoft recommended driver block rules

windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md

@@ -3,7 +3,7 @@ title: Plan for WDAC policy management
 description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
 ms.localizationpriority: medium
 ms.date: 11/22/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Plan for Windows Defender Application Control lifecycle policy management
@@ -25,7 +25,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
 4. Repeat steps 2-3 until the remaining block events meet expectations.
 5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that the policy doesn't allow are prevented from running and corresponding block events are generated.
 6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
-7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.  
+7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
 
 ![Recommended WDAC policy deployment process.](../images/policyflow.png)
 

windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement.md

@@ -3,7 +3,7 @@ title: Understand WDAC script enforcement
 description: WDAC script enforcement
 ms.manager: jsuther
 ms.date: 05/26/2023
-ms.topic: article
+ms.topic: conceptual
 ms.localizationpriority: medium
 ---
 

windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md

@@ -3,7 +3,7 @@ title: Understand Windows Defender Application Control (WDAC) policy rules and f
 description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
 ms.localizationpriority: medium
 ms.date: 11/22/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Understand Windows Defender Application Control (WDAC) policy rules and file rules

windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions.md

@@ -3,10 +3,10 @@ title: Understand Windows Defender Application Control policy design decisions
 description: Understand Windows Defender Application Control policy design decisions.
 ms.localizationpriority: medium
 ms.date: 02/08/2018
-ms.topic: article
+ms.topic: conceptual
 ---
 
-# Understand Windows Defender Application Control policy design decisions 
+# Understand Windows Defender Application Control policy design decisions
 
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
@@ -56,8 +56,8 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
 | Possible answers | Design considerations |
 | - | - |
 | All apps used in your organization must be signed. | Organizations that enforce [codesigning](../deployment/use-code-signing-for-better-control-and-protection.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
-| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can  [use built-in Windows tools](../deployment/deploy-catalog-files-to-support-wdac.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. | 
+| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can  [use built-in Windows tools](../deployment/deploy-catalog-files-to-support-wdac.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. |
- 
+
 ### Are there specific groups in your organization that need customized application control policies?
 
 Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group's priorities before you deploy application control policies for the entire organization. There's overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies.

windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings.md

@@ -3,7 +3,7 @@ title: Understanding Windows Defender Application Control (WDAC) secure settings
 description: Learn about secure settings in Windows Defender Application Control.
 ms.localizationpriority: medium
 ms.date: 04/05/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Understanding WDAC Policy Settings

windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md

@@ -3,10 +3,10 @@ title: Use a Windows Defender Application Control policy to control specific plu
 description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
 ms.localizationpriority: medium
 ms.date: 11/02/2022
-ms.topic: article
+ms.topic: how-to
 ---
 
-# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules 
+# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
 
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).

windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph.md

@@ -1,9 +1,9 @@
 ---
 title: Authorize reputable apps with the Intelligent Security Graph (ISG)
-description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
+description: Automatically authorize applications that Microsoft's ISG recognizes as having known good reputation.
 ms.localizationpriority: medium
 ms.date: 12/31/2017
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Authorize reputable apps with the Intelligent Security Graph (ISG)
@@ -42,29 +42,29 @@ Setting up the ISG is easy using any management solution you wish. Configuring t
 To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set.
 
 ```xml
-<Rules> 
+<Rules>
-    <Rule> 
+    <Rule>
-      <Option>Enabled:Unsigned System Integrity Policy</Option> 
+      <Option>Enabled:Unsigned System Integrity Policy</Option>
-    </Rule> 
+    </Rule>
-    <Rule> 
+    <Rule>
-      <Option>Enabled:Advanced Boot Options Menu</Option> 
+      <Option>Enabled:Advanced Boot Options Menu</Option>
-    </Rule> 
+    </Rule>
-    <Rule> 
+    <Rule>
-      <Option>Required:Enforce Store Applications</Option> 
+      <Option>Required:Enforce Store Applications</Option>
-    </Rule> 
+    </Rule>
     <Rule>
       <Option>Enabled:UMCI</Option>
     </Rule>
     <Rule>
-      <Option>Enabled:Managed Installer</Option> 
+      <Option>Enabled:Managed Installer</Option>
     </Rule>
-    <Rule> 
+    <Rule>
-      <Option>Enabled:Intelligent Security Graph Authorization</Option> 
+      <Option>Enabled:Intelligent Security Graph Authorization</Option>
-    </Rule> 
+    </Rule>
-    <Rule> 
+    <Rule>
-      <Option>Enabled:Invalidate EAs on Reboot</Option> 
+      <Option>Enabled:Invalidate EAs on Reboot</Option>
-    </Rule> 
+    </Rule>
-</Rules> 
+</Rules>
 ```
 
 ### Enable the necessary services to allow WDAC to use the ISG correctly on the client
@@ -91,7 +91,7 @@ Since the ISG only allows binaries that are "known good", there are cases where
 
 Packaged apps aren't supported with the ISG and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to [authorize packaged apps](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) with your WDAC policy.
 
-The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
+The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
 
 > [!NOTE]
 > A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).

windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md

@@ -3,7 +3,7 @@ title: Windows Defender Application Control and .NET
 description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
 ms.localizationpriority: medium
 ms.date: 11/22/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Windows Defender Application Control (WDAC) and .NET
@@ -41,7 +41,7 @@ Additionally, customers can precompile for deployment only to prevent an allowed
 To enable Dynamic Code Security, add the following option to the `<Rules>` section of your WDAC policy:
 
 ```xml
-<Rule> 
+<Rule>
-    <Option>Enabled:Dynamic Code Security</Option> 
+    <Option>Enabled:Dynamic Code Security</Option>
 </Rule>
 ```

windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations.md

@@ -3,7 +3,7 @@ title: Understanding Application Control event tags
 description: Learn what different Windows Defender Application Control event tags signify.
 ms.localizationpriority: medium
 ms.date: 05/09/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Understanding Application Control event tags

windows/security/application-security/application-control/windows-defender-application-control/operations/inbox-wdac-policies.md

@@ -3,7 +3,7 @@ title: Inbox WDAC policies
 description: This article describes the inbox WDAC policies that may be active on a device.
 ms.manager: jsuther
 ms.date: 03/10/2023
-ms.topic: article
+ms.topic: conceptual
 ms.localizationpriority: medium
 ---
 

windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md

@@ -3,7 +3,7 @@ title: WDAC Admin Tips & Known Issues
 description: WDAC Known Issues
 ms.manager: jsuther
 ms.date: 04/15/2024
-ms.topic: article
+ms.topic: troubleshooting
 ms.localizationpriority: medium
 ---
 
@@ -84,7 +84,7 @@ msiexec -i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E
 As a workaround, download the MSI file and run it locally:
 
 ```console
-msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi  
+msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
 ```
 
 ### Slow boot and performance with custom policies
@@ -93,7 +93,7 @@ WDAC evaluates all processes that run, including inbox Windows processes. You ca
 
 #### AppId Tagging policy considerations
 
-AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes). 
+AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes).
 
 If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance:
 

windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting.md

@@ -3,10 +3,10 @@ title: Query Application Control events with Advanced Hunting
 description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting.
 ms.localizationpriority: medium
 ms.date: 03/01/2022
-ms.topic: article
+ms.topic: troubleshooting
 ---
 
-# Querying Application Control events centrally using Advanced hunting  
+# Querying Application Control events centrally using Advanced hunting
 
 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
 While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems.
@@ -65,7 +65,7 @@ The query results can be used for several important functions related to managin
 Query Example #2: Query to determine audit blocks in the past seven days
 
 ```
-DeviceEvents 
+DeviceEvents
 | where ActionType startswith "AppControlExecutableAudited"
 | where Timestamp > ago(7d)
 |project DeviceId,                               // the device ID where the audit block happened

windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md

@@ -3,7 +3,7 @@ title: WDAC and AppLocker Overview
 description: Compare Windows application control technologies.
 ms.localizationpriority: medium
 ms.date: 01/03/2024
-ms.topic: article
+ms.topic: conceptual
 ---
 
 # Windows Defender Application Control and AppLocker Overview

windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Sandbox architecture
 description: Windows Sandbox architecture
-ms.topic: article
+ms.topic: conceptual
 ms.date: 03/26/2024
 ---
 

windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Sandbox configuration
 description: Windows Sandbox configuration
-ms.topic: article
+ms.topic: how-to
 ms.date: 03/26/2024
 ---
 
@@ -208,7 +208,7 @@ The following config file can be used to easily test the downloaded files inside
 
 ```xml
 <Configuration>
-  <VGpu>Disable</VGpu>
+  <vGpu>Disable</vGpu>
   <Networking>Disable</Networking>
   <MappedFolders>
     <MappedFolder>