Merge branch 'master' into lsaldanha-5475844

2025-05-12 13:27:23 +00:00 · 2021-10-20 10:22:57 +05:30 · 2021-10-20 10:22:57 +05:30 · 8deedd33ff
commit 8deedd33ff
parent 803cff32ce 156fdcc9af
8 changed files with 923 additions and 267 deletions
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -8,25 +8,470 @@ ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: manikadhiman
+author: dansimp
-ms.date: 06/26/2017
+ms.date: 
 ---
 # Device HealthAttestation CSP
-The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
+The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
 The following is a list of functions performed by the Device HealthAttestation CSP:
-   Collects device boot logs, TPM audit trails and the TPM certificate (DHA-BootData) from a managed device
+-   Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
-   Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
+-   Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
 -   Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-   Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data
+-   Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
-## Terms
+## Windows 11 Device health attestation
 Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
 The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.
 ### Terms
 **TPM (Trusted Platform Module)**
 <p>TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.</p>
 **DHA (Device HealthAttestation) feature**
 <p>The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.</p>
 **MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**
 <p>The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.</p>
 **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**
 <p>The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.</p>
 <p>The following list of operations is performed by MAA-CSP:</p>
 <ul>
 <li>Receives attestation trigger requests from a HealthAttestation enabled MDM provider.</li>
 <li>The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.</li>
 <li>Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.</li>
 <li>Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.</li>
 </ul>
 **MAA endpoint**
 Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
 **JWT (JSON Web Token)**
 JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
 ### Attestation Flow with Microsoft Azure Attestation Service
 ![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png)
 <br>
 <p>Attestation flow can be broadly in three main steps:</p>
 <ul>
    <li>An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.</li>
    <li>The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.</li>
    <li>The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.</li>
 </ul>
 The protocol implemented can be found here: <a href="/azure/attestation/virtualization-based-security-protocol" id="attestationprotocol"> Attestation Protocol</a>.
 ### Configuration Service Provider Nodes
 Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
 ```
 ./Vendor/MSFT
 HealthAttestation
 ----...
 ----TriggerAttestation                    |
 ----AttestStatus                          | Added in Windows 11
 ----GetAttestReport                       |
 ----GetServiceCorrelationIDs              |
 ----VerifyHealth
 ----Status
 ----ForceRetrieve
 ----Certificate
 ----Nonce
 ----CorrelationID
 ----HASEndpoint
 ----TpmReadyStatus
 ----CurrentProtocolVersion
 ----PreferredMaxProtocolVersion
 ----MaxSupportedProtocolVersion
 ```
 <a href="" id="healthattestation"></a>**./Vendor/MSFT/HealthAttestation**  
 <p>The root node for the device HealthAttestation configuration service provider.</p>
 <a href="" id="triggerAttestation"></a>**TriggerAttestation** (Required)  
 <p>Node type: EXECUTE
 This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
 </p>
 <p>Templated SyncML Call:</p>
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Exec>
            <CmdID>VERIFYHEALTHV2</CmdID>
            <Item>
                <Target>
                    <LocURI>
                        ./Vendor/MSFT/HealthAttestation/TriggerAttestation
                    </LocURI>
                </Target>
                <Data>
                    {
                    rpID : "rpID", serviceEndpoint : “MAA endpoint”,
                    nonce : “nonce”, aadToken : “aadToken”, "cv" : "CorrelationVector"
                    }                    
                </Data>
            </Item>
        </Exec>
        <Final/>
    </SyncBody>
 </SyncML>
 ```
 <p>Data fields:</p>
 <ul>
 <li>rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.</li>
 <li>serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.</li>
 <li>nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.</li>
 <li>aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.</li>
 <li>cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.</li>
 </ul>
 <p>Sample Data:</p>
 ```json
 <Data>
 { 
 "rpid" : "https://www.contoso.com/attestation",
 "endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01",
 "nonce" : "5468697320697320612054657374204e6f6e6365",
 "aadToken" : "dummytokenstring",
 "cv" : "testonboarded" 
 }
 </Data>
 ```
 <a href="" id="AttestStatus"></a>**AttestStatus**
 <p>Node type: GET
 This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step.
 The status is always cleared prior to making the attest service call.
 </p>
 <p>Templated SyncML Call:</p>
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
    <Get>
        <Item>
        <Target>
            <LocURI>
            ./Device/Vendor/MSFT/HealthAttestation/AttestStatus
            </LocURI>
        </Target>
        </Item>
    </Get>
    <Final/> 
    </SyncBody>
 </SyncML>
 ```
 <p>Sample Data:</p>
 ```
 If Successful: 0
 If Failed: A corresponding HRESULT error code
 Example: 0x80072efd,  WININET_E_CANNOT_CONNECT
 ```
 <a href="" id="getAttestReport"></a>**GetAttestReport**
 <p>Node type: GET
 This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
 </p>
 <p>Templated SyncML Call:</p>
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
 <SyncBody>
    <Get>
    <Item>
        <Target>
        <LocURI>
            ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport
        </LocURI>
        </Target>
    </Item>
    </Get>
    <Final/> 
 </SyncBody>
 </SyncML>
 ```
 <p>Sample data:</p>
 ```
 If Success:
 JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc
 If failed:
 Previously cached report if available (the token may have already expired per the attestation policy).
 OR Sync ML 404 error if not cached report available.
 ```
 <a href="" id="getServiceCorrelationIDs"></a>**GetServiceCorrelationIDs**
 <p>Node type: GET
 This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string.
 </p>
 <p>Templated SyncML Call:</p>
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
 <SyncBody>
    <Get>
    <Item>
        <Target>
        <LocURI>
            ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs
        </LocURI>
        </Target>
    </Item>
    </Get>
    <Final/> 
 </SyncBody>
 </SyncML>
 ```
 <p>Sample data:</p>
 > If success:
 > GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
 > If Trigger Attestation call failed and no previous data is present. The field remains empty.
 > Otherwise, the last service correlation id will be returned. In a successful attestation there are two 
 > calls between client and MAA and for each call the GUID is separated by semicolon.
 > **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported.
 ### MAA CSP Integration Steps
 <ol>
 <li>Set up a MAA provider instance:<br>
 MAA instance can be created following the steps here <a href="/azure/attestation/quickstart-portal" id="quickstartsetup">Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.</a></li>
 <br><li>Update the provider with an appropriate policy:<br>
 The MAA instance should be updated with an appropriate policy. <a href="/azure/attestation/claim-rule-grammar" id="policy">How to author an Azure Attestation policy | Microsoft Docs</a>
 <br>A Sample attestation policy:
 ```
 version=1.2;
 configurationrules{
 };
 authorizationrules { 
    => permit();
 };
 issuancerules{
 // SecureBoot enabled 
 c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
 c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
 ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
 // Retrieve bool properties
 c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
 c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
 ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
 // Bitlocker Boot Status, The first non zero measurement or zero.
 c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
 c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
 [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
 ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
 // Elam Driver (windows defender) Loaded
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
 [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
 ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
 // Boot debugging
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
 c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
 ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
 // Kernel Debugging
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
 c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
 ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
 // DEP Policy
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
 ![type=="depPolicy"] => issue(type="depPolicy", value=0);
 // Test Signing
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
 c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
 ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
 // Flight Signing
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
 c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
 ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
 // VSM enabled
 c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
 c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
 c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
 c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
 ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
 c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
 // HVCI
 c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
 c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
 ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
 // IOMMU
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
 c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
 ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
 // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
 // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
 c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
 c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
 [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); 
 // Find the first EVENT_APPLICATION_SVN. 
 c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
 c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
 c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
 // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
 c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
 // OS Rev List Info
 c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
 // Safe mode
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
 c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
 ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
 // Win PE
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
 c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
 ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
 // CI Policy
 c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
 // Secure Boot Custom Policy
 c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
 // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
 c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
 c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
 [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present
 //Finding the Boot App SVN
 // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
 c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
 c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
 c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
 // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
 c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
 c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
 c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
 // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. 
 c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
 c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
 c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
 // Finding the Boot Rev List Info
 c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
 };
 ```
 </li>
 <br><li>Call TriggerAttestation with your rpid, AAD token and the attestURI:<br>
 Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs</li>
 <br><li>Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:<br>
 GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
 <br>
 ```json
    {
      "typ": "JWT",
      "alg": "RS256",
      "x5c": [
        "MIIE.....=",
        "MIIG.....=",
        "MIIF.....="
      ],
      "kid": "8FUer20z6wzf1rod044wOAFdjsg"
    }.{
      "nbf": 1633664812,
      "exp": 1634010712,
      "iat": 1633665112,
      "iss": "https://contosopolicy.eus.attest.azure.net",
      "jti": "2b63663acbcafefa004d20969991c0b1f063c9be",
      "ver": "1.0",
      "x-ms-ver": "1.0",
      "rp_data": "AQIDBA",
      "nonce": "AQIDBA",
      "cnf": {
        "jwk": {
          "kty": "RSA",
          "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ",
          "e": "AQAB"
        }
      },
      "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0",
      "WindowsDefenderElamDriverLoaded": true,
      "bitlockerEnabled": true,
      "bitlockerEnabledValue": 4,
      "bootAppSvn": 1,
      "bootDebuggingDisabled": true,
      "bootMgrSvn": 1,
      "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw",
      "codeIntegrityEnabled": true,
      "codeIntegrityPolicy": [
        "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk",
        "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o",
        "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI",
        "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc",
        "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM"
      ],
      "depPolicy": 0,
      "flightSigningNotEnabled": false,
      "hvciEnabled": true,
      "iommuEnabled": true,
      "notSafeMode": true,
      "notWinPE": true,
      "osKernelDebuggingDisabled": true,
      "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA",
      "secureBootEnabled": true,
      "testSigningDisabled": true,
      "vbsEnabled": true
    }.[Signature]
 ```
 </li>
 </ol>
 ### Learn More 
 More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/).
 ## Windows 10 Device HealthAttestation
 ### Terms
 **TPM (Trusted Platform Module)**
-<p>TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing. </p>
+<p>TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. </p>
 **DHA (Device HealthAttestation) feature**
 <p>The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.</p>
@ -59,10 +504,10 @@ The following is a list of functions performed by the Device HealthAttestation C
 <strong>DHA session data (Device HealthAttestation session data)</strong>
 <p>The following list of data is produced or consumed in one DHA-Transaction:</p>
 <ul>
-<li>DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.</li>
+<li>DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.</li>
 <li>DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.</li>
 <li>DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.</li>
-<li>DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has 2 parts:
+<li>DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
 <ul> 
 <li>DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service</li>
 <li>DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP</li>
@ -96,7 +541,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 <strong>DHA-Service (Device HealthAttestation Service)</strong>
 <p>Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.</p>
-<p>DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.</p>
+<p>DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.</p>
 <p>The following list of operations is performed by DHA-Service:</p>
 - Receives device boot data (DHA-BootData) from a DHA-Enabled device</li>
@ -173,7 +618,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 </tbody>
 </table>
-## CSP diagram and node descriptions  
+### CSP diagram and node descriptions  
 The following shows the Device HealthAttestation configuration service provider in tree format.  
@ -205,12 +650,12 @@ HealthAttestation
 <p>The supported operation is Get.</p>
-<p>The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
+<p>The following list shows some examples of supported values. For the complete list of status, see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
 -   0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
 -   1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
 -   2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
-   3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
+-   3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
 <a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)  
 <p>Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@ -220,7 +665,7 @@ HealthAttestation
 <a href="" id="certificate"></a>**Certificate** (Required)  
 <p>Instructs the DHA-CSP to forward DHA-Data to the MDM server.</p>
-<p>Value type is b64.The supported operation is Get.</p>
+<p>Value type is b64. The supported operation is Get.</p>
 <a href="" id="nonce"></a>**Nonce** (Required)  
 <p>Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.</p>
@ -243,7 +688,7 @@ HealthAttestation
 <p>Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.</p>
 <p>Value type is integer. The supported operation is Get.</p>
-## **DHA-CSP integration steps**
+### **DHA-CSP integration steps**
 The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
@ -260,7 +705,7 @@ The following list of validation and development tasks are required for integrat
 Each step is described in detail in the following sections of this topic.
-## <a href="" id="verify-access"></a>**Step 1: Verify HTTPS access**
+### <a href="" id="verify-access"></a>**Step 1: Verify HTTPS access**
 Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS).
@ -313,7 +758,7 @@ SSL-Session:
 ```
-## <a href="" id="assign-trusted-dha-service"></a>**Step 2: Assign an enterprise trusted DHA-Service**
+### <a href="" id="assign-trusted-dha-service"></a>**Step 2: Assign an enterprise trusted DHA-Service**
 There are three types of DHA-Service:
 - Device Health Attestation – Cloud (owned and operated by Microsoft)
@ -339,7 +784,7 @@ The following example shows a sample call that instructs a managed device to com
 ```
-## <a href="" id="prepare-health-data"></a>**Step 3: Instruct client to prepare health data for verification**
+### <a href="" id="prepare-health-data"></a>**Step 3: Instruct client to prepare health data for verification**
 Send a SyncML call to start collection of the DHA-Data.
@ -366,7 +811,7 @@ The following example shows a sample call that triggers collection and verificat
 </Get>
 ```
-## <a href="" id="take-action-client-response"></a>**Step 4: Take action based on the clients response**
+### <a href="" id="take-action-client-response"></a>**Step 4: Take action based on the clients response**
 After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
@ -392,9 +837,9 @@ Here is a sample alert that is issued by DHA_CSP:
    </Item>
 </Alert>
 ```
- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
+- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
-## <a href="" id="forward-health-attestation"></a>**Step 5: Instruct the client to forward health attestation data for verification**
+### <a href="" id="forward-health-attestation"></a>**Step 5: Instruct the client to forward health attestation data for verification**
 Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
@ -431,7 +876,7 @@ Here is an example:
 </Get>
 ```
-## <a href="" id="forward-data-to-has"></a>**Step 6: Forward device health attestation data to DHA-service**
+### <a href="" id="forward-data-to-has"></a>**Step 6: Forward device health attestation data to DHA-service**
 In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response  to ./Vendor/MSFT/HealthAttestation/CorrelationId node).
@ -455,14 +900,14 @@ When the MDM-Server receives the above data, it must:
    - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
-## <a href="" id="receive-has-response"></a>**Step 7: Receive response from the DHA-service**
+### <a href="" id="receive-has-response"></a>**Step 7: Receive response from the DHA-service**
 When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
 - Decrypts the encrypted data it receives.
 - Validates the data it has received 
 - Creates a report, and shares the evaluation results to the MDM server via SSL in XML format 
-## <a href="" id="take-policy-action"></a>**Step 8: Take appropriate policy action based on evaluation results**
+### <a href="" id="take-policy-action"></a>**Step 8: Take appropriate policy action based on evaluation results**
 After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
@ -471,7 +916,7 @@ After the MDM server receives the verified data, the information can be used to
 -   Allow the device to access the resources, but flag the device for further investigation.
 -   Prevent a device from accessing resources.
-The following list of data points are verified by the DHA-Service in DHA-Report version 3:
+The following list of data points is verified by the DHA-Service in DHA-Report version 3:
 - [Issued](#issued ) 
 - [AIKPresent](#aikpresent)
@ -503,7 +948,7 @@ The following list of data points are verified by the DHA-Service in DHA-Report
 \*  TPM 2.0 only   
 \*\*  Reports if BitLocker was enabled during initial boot.    
-\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.  
+\*\*\* The “Hybrid Resume” must be disabled on the device. Reports first-party ELAM “Defender” was loaded during boot.  
 Each of these are described in further detail in the following sections, along with the recommended actions to take.
@ -519,7 +964,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 <a href="" id="resetcount"></a>**ResetCount** (Reported only for devices that support TPM 2.0)
@ -544,7 +989,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 <a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time) 
@ -560,7 +1005,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 <a href="" id="bootmanagerrevlistversion"></a>**BootManagerRevListVersion**
@ -573,7 +1018,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
+-   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 <a href="" id="codeintegrityrevlistversion"></a>**CodeIntegrityRevListVersion**
 <p>This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.</p>
@ -585,7 +1030,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
+-   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 <a href="" id="securebootenabled"></a>**SecureBootEnabled**  
 <p>When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.</p>
@ -596,11 +1041,11 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 <a href="" id="bootdebuggingenabled"></a>**BootDebuggingEnabled**
-<p>Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.</p>
+<p>Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.</p>
 <p>Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:</p>
@ -626,7 +1071,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
 -   Place the device in a watch list to monitor the device more closely for potential risks.
-   Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
+-   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 <a href="" id="codeintegrityenabled"></a>**CodeIntegrityEnabled**  
 <p>When code integrity is enabled, code execution is restricted to integrity verified code.</p>
@ -641,7 +1086,7 @@ Each of these are described in further detail in the following sections, along w
 -   Disallow all access
 -   Disallow access to HBI assets
-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+-   Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 <a href="" id="testsigningenabled"></a>**TestSigningEnabled**
@ -680,11 +1125,11 @@ Each of these are described in further detail in the following sections, along w
 <p>If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.</p>
 <a href="" id="elamdriverloaded"></a>**ELAMDriverLoaded**  (Windows Defender)
-<p>To use this reporting feature you must disable &quot;Hybrid Resume&quot; on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.</p>
+<p>To use this reporting feature, you must disable &quot;Hybrid Resume&quot; on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.</p>
-<p>In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM  (Windows Defender) was loaded during initial boot.</p>
+<p>In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM  (Windows Defender) was loaded during initial boot.</p>
-<p>If a device is expected to use a 3rd party antivirus program, ignore the reported state.</p>
+<p>If a device is expected to use a third-party antivirus program, ignore the reported state.</p>
 <p>If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.</p>
@ -705,7 +1150,7 @@ Each of these are described in further detail in the following sections, along w
 -   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 <a href="" id="vsmenabled"></a>**VSMEnabled**  
-<p>Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.</p>
+<p>Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.</p>
 <p>VSM can be enabled by using the following command in WMI or a PowerShell script:</p>
@ -760,7 +1205,7 @@ Each of these are described in further detail in the following sections, along w
 <a href="" id="pcr0"></a>**PCR0**
 <p>The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.</p>
-<p>Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.</p>
+<p>Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.</p>
 <p>If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.</p>
@ -776,7 +1221,7 @@ Each of these are described in further detail in the following sections, along w
 <p>If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
-<p>If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
+<p>If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
 - Disallow all access
 - Place the device in a watch list to monitor the device more closely for potential risks.
@ -786,7 +1231,7 @@ Each of these are described in further detail in the following sections, along w
 <p>If CIPolicy is not present, or is an accepted allow-listed value, then allow access.</p>
-<p>If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
+<p>If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
 - Disallow all access
 - Place the device in a watch list to monitor the device more closely for potential risks.
@ -816,7 +1261,7 @@ Each of these are described in further detail in the following sections, along w
 <p>In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.</p>
-## **Device HealthAttestation CSP status and error codes**
+### **Device HealthAttestation CSP status and error codes**
 <table>
    <tr>
@ -962,7 +1407,7 @@ Each of these are described in further detail in the following sections, along w
    <tr>
        <td>27</td>
        <td>HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE</td>
-        <td>DHA-CSP failed to create a HTTP request handle.</td>
+        <td>DHA-CSP failed to create an HTTP request handle.</td>
    </tr>
    <tr>
        <td>28</td>
@ -997,7 +1442,7 @@ Each of these are described in further detail in the following sections, along w
    <tr>
        <td>34</td>
        <td>HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE</td>
-        <td>DHA-CSP received an empty response along with a HTTP error code from DHA-Service.</td>
+        <td>DHA-CSP received an empty response along with an HTTP error code from DHA-Service.</td>
    </tr>
    <tr>
        <td>35</td>
@ -1027,7 +1472,7 @@ Each of these are described in further detail in the following sections, along w
 </table>
-## DHA-Report V3 schema
+### DHA-Report V3 schema
 ```xml
@ -1131,7 +1576,7 @@ Each of these are described in further detail in the following sections, along w
 </xs:schema>
 ```
-## DHA-Report example
+### DHA-Report example
 ```xml
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@ -22,193 +22,430 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
 The XML below is the current version for this CSP.
 ```xml
-<?xml version="1.0" encoding="UTF-8"?>
+<?xml version='1.0' encoding='utf-8' standalone='yes'?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+<identity
-    "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"
-    [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    <VerDTD>1.2</VerDTD>
+  owner="Microsoft"
-    <Node>
+  namespace="Windows-DeviceManagement-CspDefinition"
  name="HealthAttestation">
  <cspDefinition>
    <MgmtTree>
      <VerDTD>1.2</VerDTD>
      <BinaryPath>$(runtime.windows)\system32\hascsp.dll</BinaryPath>
      <Diagnostics></Diagnostics>
      <ComClsid>{9DCCCE22-C057-424E-B8D1-67935988B174}</ComClsid>
      <Node>
        <NodeName>HealthAttestation</NodeName>
        <Path>./Vendor/MSFT</Path>
        <DFProperties>
-            <AccessType>
+          <AccessType>
-                <Get />
+            <Get />
-            </AccessType>
+          </AccessType>
-            <DFFormat>
+          <Description>The root node for the device HealthAttestation configuration service provider.</Description>
-                <node />
+          <DFFormat>
-            </DFFormat>
+            <node />
-            <Occurrence>
+          </DFFormat>
-                <One />
+          <Occurrence>
-            </Occurrence>
+            <One />
-            <Scope>
+          </Occurrence>
-                <Permanent />
+          <Scope>
-            </Scope>
+            <Permanent />
-            <DFType>
+          </Scope>
-                <MIME>com.microsoft/1.2/MDM/HealthAttestation</MIME>
+          <DFType>
-            </DFType>
+            <MIME>com.microsoft/1.4/MDM/HealthAttestation</MIME>
          </DFType>
          <Applicability>
            <OsBuildVersion>10.0.10586</OsBuildVersion>
            <CspVersion>1.0</CspVersion>
          </Applicability>
          <ExposedTo>
            <Wmi />
            <Mdm />
          </ExposedTo>
        </DFProperties>
        <Node>
-            <NodeName>VerifyHealth</NodeName>
+          <NodeName>VerifyHealth</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Exec />
+              <Exec />
-                </AccessType>
+            </AccessType>
-                <DFFormat>
+            <Description>Notifies the device to prepare a device health verification request.</Description>
-                    <null />
+            <DFFormat>
-                </DFFormat>
+              <null />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-            </DFProperties>
+            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <OneTimeExecution />
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>Status</NodeName>
+          <NodeName>Status</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                </AccessType>
+            </AccessType>
-                <DFFormat>
+            <Description>Provides the current status of the device health request.  For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
-                    <int />
+            <DFFormat>
-                </DFFormat>
+              <int />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-                <DFType>
+            </Scope>
-                    <MIME>text/plain</MIME>
+            <DFType>
-                </DFType>
+              <MIME>text/plain</MIME>
-            </DFProperties>
+            </DFType>
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>ForceRetrieve</NodeName>
+          <NodeName>ForceRetrieve</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                    <Replace />
+              <Replace />
-                </AccessType>
+            </AccessType>
-                <DefaultValue>False</DefaultValue>
+            <DefaultValue>False</DefaultValue>
-                <DFFormat>
+            <Description>Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</Description>
-                    <bool />
+            <DFFormat>
-                </DFFormat>
+              <bool />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-                <DFType>
+            </Scope>
-                    <MIME>text/plain</MIME>
+            <DFType>
-                </DFType>
+              <MIME>text/plain</MIME>
-            </DFProperties>
+            </DFType>
            <AllowedValues ValueType="ENUM">
              <Enum>
                <Value>false</Value>
                <ValueDescription>False</ValueDescription>
              </Enum>
              <Enum>
                <Value>true</Value>
                <ValueDescription>True</ValueDescription>
              </Enum>
            </AllowedValues>
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>Certificate</NodeName>
+          <NodeName>Certificate</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                </AccessType>
+            </AccessType>
-                <DFFormat>
+            <Description>Instructs the DHA-CSP to forward DHA-Data to the MDM server.</Description>
-                    <b64 />
+            <DFFormat>
-                </DFFormat>
+              <chr />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-                <DFType>
+            </Scope>
-                    <DDFName></DDFName>
+            <DFType>
-                </DFType>
+              <MIME>text/plain</MIME>
-            </DFProperties>
+            </DFType>
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>Nonce</NodeName>
+          <NodeName>Nonce</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                    <Replace />
+              <Replace />
-                </AccessType>
+            </AccessType>
-                <DefaultValue>\0</DefaultValue>
+            <DefaultValue>\0</DefaultValue>
-                <DFFormat>
+            <Description>Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.</Description>
-                    <chr />
+            <DFFormat>
-                </DFFormat>
+              <chr />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-                <DFType>
+            </Scope>
-                    <MIME>text/plain</MIME>
+            <DFType>
-                </DFType>
+              <MIME>text/plain</MIME>
-            </DFProperties>
+            </DFType>
            <AllowedValues ValueType="None">
            </AllowedValues>
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>CorrelationID</NodeName>
+          <NodeName>CorrelationID</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                </AccessType>
+            </AccessType>
-                <DFFormat>
+            <Description>Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</Description>
-                    <chr />
+            <DFFormat>
-                </DFFormat>
+              <chr />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-                <DFType>
+            </Scope>
-                    <MIME>text/plain</MIME>
+            <DFType>
-                </DFType>
+              <MIME>text/plain</MIME>
-            </DFProperties>
+            </DFType>
            <AllowedValues ValueType="None">
            </AllowedValues>
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>HASEndpoint</NodeName>
+          <NodeName>HASEndpoint</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                    <Replace />
+              <Replace />
-                </AccessType>
+            </AccessType>
-                <DFFormat>
+            <DefaultValue>has.spserv.microsoft.com.</DefaultValue>
-                    <chr />
+            <Description>Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</Description>
-                </DFFormat>
+            <DFFormat>
-                <Scope>
+              <chr />
-                    <Permanent />
+            </DFFormat>
-                </Scope>
+            <Occurrence>
-                <DFType>
+              <One />
-                    <MIME>text/plain</MIME>
+            </Occurrence>
-                </DFType>
+            <Scope>
-            </DFProperties>
+              <Permanent />
            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <AllowedValues ValueType="None">
            </AllowedValues>
          </DFProperties>
        </Node>
        <Node>
-            <NodeName>TpmReadyStatus</NodeName>
+          <NodeName>TpmReadyStatus</NodeName>
-            <DFProperties>
+          <DFProperties>
-                <AccessType>
+            <AccessType>
-                    <Get />
+              <Get />
-                </AccessType>
+            </AccessType>
-                <DFFormat>
+            <Description> Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.</Description>
-                    <int />
+            <DFFormat>
-                </DFFormat>
+              <int />
-                <Occurrence>
+            </DFFormat>
-                    <One />
+            <Occurrence>
-                </Occurrence>
+              <One />
-                <Scope>
+            </Occurrence>
-                    <Permanent />
+            <Scope>
-                </Scope>
+              <Permanent />
-                <DFType>
+            </Scope>
-                    <MIME>text/plain</MIME>
+            <DFType>
-                </DFType>
+              <MIME>text/plain</MIME>
-            </DFProperties>
+            </DFType>
            <Applicability>
              <OsBuildVersion>10.0.14393</OsBuildVersion>
              <CspVersion>1.1</CspVersion>
            </Applicability>
          </DFProperties>
        </Node>
-    </Node>
+        <Node>
-</MgmtTree>
+          <NodeName>CurrentProtocolVersion</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Provides the current protocol version that the client is using to communicate with the Health Attestation Service.</Description>
            <DFFormat>
              <int />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <Applicability>
              <OsBuildVersion>10.0.16299</OsBuildVersion>
              <CspVersion>1.3</CspVersion>
            </Applicability>
          </DFProperties>
        </Node>
        <Node>
          <NodeName>PreferredMaxProtocolVersion</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
              <Replace />
            </AccessType>
            <DefaultValue>3</DefaultValue>
            <Description>Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it.</Description>
            <DFFormat>
              <int />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <Applicability>
              <OsBuildVersion>10.0.16299</OsBuildVersion>
              <CspVersion>1.3</CspVersion>
            </Applicability>
            <AllowedValues ValueType="None">
            </AllowedValues>
          </DFProperties>
        </Node>
        <Node>
          <NodeName>MaxSupportedProtocolVersion</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Returns the maximum protocol version that this client can support.</Description>
            <DFFormat>
              <int />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <Applicability>
              <OsBuildVersion>10.0.16299</OsBuildVersion>
              <CspVersion>1.3</CspVersion>
            </Applicability>
          </DFProperties>
        </Node>
        <Node>
          <NodeName>TriggerAttestation</NodeName>
          <DFProperties>
            <AccessType>
              <Exec />
            </AccessType>
            <Description>Notifies the device to trigger an attestation session asynchronously.</Description>
            <DFFormat>
              <chr />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <Applicability>
              <OsBuildVersion>99.9.99999</OsBuildVersion>
              <CspVersion>1.4</CspVersion>
            </Applicability>
            <AsynchronousTracking ResourceSuccessURI="AttestStatus" />
            <OneTimeExecution />
          </DFProperties>
        </Node>
        <Node>
          <NodeName>GetAttestReport</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Retrieve attestation session report if exists.</Description>
            <DFFormat>
              <chr />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <DDFName></DDFName>
            </DFType>
            <Applicability>
              <OsBuildVersion>99.9.99999</OsBuildVersion>
              <CspVersion>1.4</CspVersion>
            </Applicability>
          </DFProperties>
        </Node>
        <Node>
          <NodeName>AttestStatus</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>AttestStatus maintains the success or failure status code for the last attestation session.</Description>
            <DFFormat>
              <int />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
            <Applicability>
              <OsBuildVersion>99.9.99999</OsBuildVersion>
              <CspVersion>1.4</CspVersion>
            </Applicability>
          </DFProperties>
        </Node>
        <Node>
          <NodeName>GetServiceCorrelationIDs</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Retrieve service correlation IDs if exist.</Description>
            <DFFormat>
              <chr />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <DDFName></DDFName>
            </DFType>
            <Applicability>
              <OsBuildVersion>99.9.99999</OsBuildVersion>
              <CspVersion>1.4</CspVersion>
            </Applicability>
          </DFProperties>
        </Node>
      </Node>
    </MgmtTree>
  </cspDefinition>
 </identity>
 ```
--- a/windows/client-management/mdm/images/maa-attestation-flow.png
+++ b/windows/client-management/mdm/images/maa-attestation-flow.png
--- a/windows/configuration/supported-csp-taskbar-windows.md
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@ -35,6 +35,10 @@ For more general information, see [Configuration service provider (CSP) referenc
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
  - Local setting: None
 - [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar)
  - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat`
  - Local setting: Settings > Personalization > Taskbar > Chat
 ## Existing CSP policies that Windows 11 doesn't support
 The following list includes some of the CSP policies that aren't supported on Windows 11:
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@ -45,9 +45,11 @@ Refer to the following list for what each state means:
 Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release. 
-## Queries for safeguard holds
+### Queries for safeguard holds
-Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
+Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
 The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
 ![Left pane showing Need Attention, Security update status, feature update status, and Windows Defender AV status, with Need Attention selected. Right pane shows the list of queries relevant to the Need Attention status, with "Devices with a safeguard hold" and "Target build distribution of devices with a safeguard hold" queries highlighted](images/UC_workspace_safeguard_queries.png)
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@ -44,7 +44,7 @@ Before you begin the process to add Update Compliance to your Azure subscription
 - **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions.
 - **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but does not currently provide detailed deployment insights for them.
- **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
+- **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
 - **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
 - **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@ -223,5 +223,10 @@ sections:
      - question: Does Windows Hello for Business work with Mac and Linux clients?
        answer: |
-          Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. 
+          Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
          Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms.
      - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
        answer: | 
          No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD.
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 08/10/2021
+ms.date: 10/19/2021
 ms.technology: mde
 ---
@ -26,8 +26,8 @@ ms.technology: mde
 -   Windows 11
 -   Windows Server 2016 and above
->[!NOTE]
+> [!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
@ -41,8 +41,7 @@ Ensure that the WDAC policy allows the system/boot components and any other auth
 ## Security considerations with managed installer
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
 It's best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
 Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
@ -85,19 +84,19 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
 2. Manually rename the rule collection to ManagedInstaller
-    Change
+    Change:
    ```powershell
    <RuleCollection Type="Exe" EnforcementMode="NotConfigured">
    ```
-    to
+    to:
    ```powershell
    <RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
    ```
-An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer.
+An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), PowerShell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer.
 ```xml
 <AppLockerPolicy Version="1">
@ -177,45 +176,9 @@ An example of a valid Managed Installer rule collection, using Microsoft Endpoin
  </RuleCollection>
 </AppLockerPolicy>
 ```
 ### Enable service enforcement in AppLocker policy
-Since many installation processes rely on services, it is typically necessary to enable tracking of services.
+>[!NOTE]
-Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. The audit rule can be added to the policy created above, which specifies the rule collection of your managed installer.
+>Since many installation processes rely on services, it is typically necessary to enable tracking of services. Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. 
 For example:
 ```xml
 <RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
    <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
      </Conditions>
    </FilePathRule>
    <RuleCollectionExtensions>
      <ThresholdExtensions>
        <Services EnforcementMode="Enabled" />
      </ThresholdExtensions>
      <RedstoneExtensions>
        <SystemApps Allow="Enabled"/>
      </RedstoneExtensions>
    </RuleCollectionExtensions>
  </RuleCollection>
  <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
    <FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
      </Conditions>
    </FilePathRule>
    <RuleCollectionExtensions>
      <ThresholdExtensions>
        <Services EnforcementMode="Enabled" />
      </ThresholdExtensions>
      <RedstoneExtensions>
        <SystemApps Allow="Enabled"/>
      </RedstoneExtensions>
    </RuleCollectionExtensions>
  </RuleCollection>
 ```
 ## Enable the managed installer option in WDAC policy
@ -234,7 +197,7 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables
    Set-CIPolicyIdInfo -FilePath <XML filepath> -PolicyName "<friendly name>" -ResetPolicyID
    ```
-3. Set Option 13 (Enabled:Managed Installer)
+3. Set Option 13 (Enabled:Managed Installer).
    ```powershell
    Set-RuleOption -FilePath <XML filepath> -Option 13
@ -305,4 +268,4 @@ Once you've completed configuring your chosen Managed Installer, by specifying w
   ```powershell
   Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
   ```
-   This command will show the raw XML to verify the individual rules that were set.
+   This command will show the raw XML to verify the individual rules that were set.